From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q4DOC-0005D3-RX for garchives@archives.gentoo.org; Mon, 28 Mar 2011 14:25:53 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C07611C022; Mon, 28 Mar 2011 14:24:11 +0000 (UTC) Received: from mail-qy0-f174.google.com (mail-qy0-f174.google.com [209.85.216.174]) by pigeon.gentoo.org (Postfix) with ESMTP id 87B811C022 for ; Mon, 28 Mar 2011 14:24:11 +0000 (UTC) Received: by qyk7 with SMTP id 7so1195455qyk.19 for ; Mon, 28 Mar 2011 07:24:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=fhg96xvD0I0FYZqxa8S5MCmkTsOyEDFP5h2uLsqhxZo=; b=G3PO3slWayI+Vp6RQPs9RorZFAmurQ0amnpgBBIZeTC0yXQncmbBwCpWVl/5+R53+r AqRbKKlLiq5Fq8NxUWTr+LHLaEe7yAG78cLcSZZTl0Dw8VXt7Z8A5iolpfxEWLEx4S72 KgxgyGaXhSHyvSIWYnwKfTZJqJtIqgrcqRq5A= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=SA+4vHLoytC48SkK0r2Y1HkEyw7KutO9N2K5YUcLrfK9Uq0QXritQqzniMmpAgwsp3 rUAfdLlUCJxRlYhx6KqwmKPuADcZ6bMWXDnz/OPC74IIx+tqVVr/Of1ItrJrVmcpDJ/c rs4IyiXi/omtb6pzymc2FjMB092SLuNIgHK7Q= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.229.69.197 with SMTP id a5mr3237818qcj.273.1301322251077; Mon, 28 Mar 2011 07:24:11 -0700 (PDT) Sender: paul.hartman@gmail.com Received: by 10.229.110.11 with HTTP; Mon, 28 Mar 2011 07:24:10 -0700 (PDT) In-Reply-To: References: Date: Mon, 28 Mar 2011 09:24:10 -0500 X-Google-Sender-Auth: dsh349EeBB2Mzmx1XX5KXVsG3Ok Message-ID: Subject: Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 49a27b3af211fbba461eb260c85f41be On Sun, Mar 27, 2011 at 4:09 PM, walt wrote: > I just got an email from cron on my ~amd64 machine, containing these line= s: > > Checking 'find'... INFECTED > Checking 'netstat'... INFECTED > > Took me a few minutes to deduce that sys-forensics/chkrootkit was the sou= rce > of those messages. =A0I ran chkrootkit manually and found the same messag= es in > the output. > > I then nervously re-emerged findutils and net-tools, but chkrootkit again > found > the same binaries to be "INFECTED". > > Running chkrootkit on my ~x86 machine turns up no such infections even > though > the same packages are installed on both machines. > > Anyone have any insight into how chkrootkit works, or why the different > results? > > Or, can anyone reproduce my problem? chkrootkit is old, has not been updated in years+, and those are false alarms. I got the exact same ones. Basically, chkrootkit is just grepping for a string inside those files: /usr/bin/find: sharefile.h /bin/netstat: sockaddr.h You may find that if you strip those 2 binaries of debug data, the false positives go away.