From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q3xFA-0006BT-7n for garchives@archives.gentoo.org; Sun, 27 Mar 2011 21:11:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DAAB61C02D; Sun, 27 Mar 2011 21:09:34 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id A54F41C02D for ; Sun, 27 Mar 2011 21:09:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 18B141B4154 for ; Sun, 27 Mar 2011 21:09:34 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Score: -2.874 X-Spam-Level: X-Spam-Status: No, score=-2.874 required=5.5 tests=[AWL=-0.275, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uvRT8UPj+Ey for ; Sun, 27 Mar 2011 21:09:26 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id 9F6051B4044 for ; Sun, 27 Mar 2011 21:09:25 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q3xD6-0003z2-LX for gentoo-user@gentoo.org; Sun, 27 Mar 2011 23:09:20 +0200 Received: from adsl-69-234-196-209.dsl.irvnca.pacbell.net ([69.234.196.209]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 27 Mar 2011 23:09:20 +0200 Received: from w41ter by adsl-69-234-196-209.dsl.irvnca.pacbell.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 27 Mar 2011 23:09:20 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: walt Subject: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 Date: Sun, 27 Mar 2011 14:09:00 -0700 Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: adsl-69-234-196-209.dsl.irvnca.pacbell.net User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b13pre) Gecko/20110325 Thunderbird/3.3a3 X-Archives-Salt: X-Archives-Hash: dfe883d4ffd33e7f6c93e0f07c5d48e1 I just got an email from cron on my ~amd64 machine, containing these lines: Checking 'find'... INFECTED Checking 'netstat'... INFECTED Took me a few minutes to deduce that sys-forensics/chkrootkit was the source of those messages. I ran chkrootkit manually and found the same messages in the output. I then nervously re-emerged findutils and net-tools, but chkrootkit again found the same binaries to be "INFECTED". Running chkrootkit on my ~x86 machine turns up no such infections even though the same packages are installed on both machines. Anyone have any insight into how chkrootkit works, or why the different results? Or, can anyone reproduce my problem? Thanks.