From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Q4MCm-0001GW-Jt for garchives@archives.gentoo.org; Mon, 28 Mar 2011 23:50:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8159D1C03C; Mon, 28 Mar 2011 23:49:00 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4DEF21C03C for ; Mon, 28 Mar 2011 23:49:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id C93D21B4087 for ; Mon, 28 Mar 2011 23:48:59 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Score: -2.873 X-Spam-Level: X-Spam-Status: No, score=-2.873 required=5.5 tests=[AWL=-0.274, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KXRlB4beYXR3 for ; Mon, 28 Mar 2011 23:48:53 +0000 (UTC) Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by smtp.gentoo.org (Postfix) with ESMTP id AFD191B40C0 for ; Mon, 28 Mar 2011 23:48:50 +0000 (UTC) Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from ) id 1Q4MAw-00036U-Cu for gentoo-user@gentoo.org; Tue, 29 Mar 2011 01:48:46 +0200 Received: from adsl-69-234-203-141.dsl.irvnca.pacbell.net ([69.234.203.141]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Mar 2011 01:48:46 +0200 Received: from w41ter by adsl-69-234-203-141.dsl.irvnca.pacbell.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 29 Mar 2011 01:48:46 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: walt Subject: [gentoo-user] Re: sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 Date: Mon, 28 Mar 2011 16:48:34 -0700 Message-ID: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@dough.gmane.org X-Gmane-NNTP-Posting-Host: adsl-69-234-203-141.dsl.irvnca.pacbell.net User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0b13pre) Gecko/20110325 Thunderbird/3.3a3 In-Reply-To: X-Archives-Salt: X-Archives-Hash: 94d1e9e743b582145a1405bc8fb106e9 On 03/28/2011 07:24 AM, Paul Hartman wrote: > On Sun, Mar 27, 2011 at 4:09 PM, walt wrote: >> I just got an email from cron on my ~amd64 machine, containing these lines: >> >> Checking 'find'... INFECTED >> Checking 'netstat'... INFECTED >> >> Took me a few minutes to deduce that sys-forensics/chkrootkit was the source >> of those messages. I ran chkrootkit manually and found the same messages in >> the output. > > chkrootkit is old, has not been updated in years+, and those are false > alarms. I got the exact same ones. Basically, chkrootkit is just > grepping for a string inside those files: > > /usr/bin/find: sharefile.h > /bin/netstat: sockaddr.h > > You may find that if you strip those 2 binaries of debug data, the > false positives go away. Exactly so. Thanks to you and Mick for the replies.