chkrootkit V. 0.47

Running freeBSD 6.1

After changing chkrootkit to the latest version V. 0.47 and
compiling it then 
running it I get the following:

==================<SNIPPIT>================
Searching for anomalies in shell history files... nothing
found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  6667)
Checking `lkm'... You have   131 process hidden for readdir
command
chkproc: Warning: Possible LKM Trojan installed
Checking `rexedcs'... not found
Checking `sniffer'... vr0 is not promisc
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
==================</SNIPPIT>================

Looking above, the above shows a few anomalies like the
bindshell ... INFECTED 
(PORTS: 6667)
--and--
Checking `lkm'... You have   131 process hidden for readdir
command
chkproc: Warning: Possible LKM Trojan installed

I do run an IRCd, and also YABB Message board along with
APACHE web server - 
would the above then be normal output, and what about the
lkm? Many thanks to 
those with more experience in this area.

JP






_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

On Tuesday 20 November 2007 16:41:52 JP wrote:
> Running freeBSD 6.1
>
> After changing chkrootkit to the latest version V. 0.47
and compiling it
> then running it I get the following:
>
> ==================<SNIPPIT>================
> Searching for anomalies in shell history files...
nothing found
> Checking `asp'... not infected
> Checking `bindshell'... INFECTED (PORTS:  6667)
> Checking `lkm'... You have   131 process hidden for
readdir command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... vr0 is not promisc
> Checking `w55808'... not infected
> Checking `wted'... chkwtmp: nothing deleted
> ==================</SNIPPIT>================
>
> Looking above, the above shows a few anomalies like the
bindshell ...
> INFECTED (PORTS: 6667)
> --and--
> Checking `lkm'... You have   131 process hidden for
readdir command
> chkproc: Warning: Possible LKM Trojan installed
>
> I do run an IRCd, and also YABB Message board along
with APACHE web
> server - would the above then be normal output, and
what about the lkm?
> Many thanks to those with more experience in this
area.
>

Such tools is known to trigger false positives sometimes.
I'd recommend to 
play with some additional utilities like lsof. In case of
bindshell try to 
find processes that was executed from world writable
directories such 
as /tmp. Try to shutdown httpd and other daemons and see if
any of them 
still running. 


-- 
============================================================
==========  
- Best regards, Nikolay Pavlov.
<<<-----------------------------------    
============================================================
==========  

On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov
wrote:
> On Tuesday 20 November 2007 16:41:52 JP wrote:
> > Running freeBSD 6.1
> >
> > After changing chkrootkit to the latest version V.
0.47 and compiling it
> > then running it I get the following:
[snip]
> > Checking `bindshell'... INFECTED (PORTS:  6667)
[snip]
> >
> > I do run an IRCd...
> 
> Such tools is known to trigger false positives
sometimes. I'd recommend to 
> play with some additional utilities like lsof. In case
of bindshell try to 
> find processes that was executed from world writable
directories such 
> as /tmp. Try to shutdown httpd and other daemons and
see if any of them 
> still running. 

The bindshell is most probably a false positive - chkrootkit
just
checks if anything is listening on "unusual"
ports.  Since 6667 is
one of the most often used well-known ports for IRC
communication,
this is most probably a false positive.

G'luck,
Peter

-- 
Peter Pentchev	roamringlet.net    roamcnsys.bg    roamFreeBSD.org
PGP key:	http://p
eople.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D
1619 4553
You have, of course, just begun reading the sentence that
you have just finished reading.

On Tue, 20 Nov 2007, JP wrote:

> --and--
> Checking `lkm'... You have   131 process hidden for
readdir command
> chkproc: Warning: Possible LKM Trojan installed

I wonder if it's trying to use procfs, which isn't mounted
by default in 
FreeBSD, and as a result reporting that /proc is empty
(which is expected). 
You could try mounting procfs and see if the message goes
away, which would 
answer the question -- however, we don't generaly advise
mounting procfs 
unless it is required, as it is a deprecated feature.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"

Hi,

On Wednesday, 28 de November de 2007, Robert Watson
<Robert Watson 
<rwatsonfreebsd.org>> wrote:
> On Tue, 20 Nov 2007, JP wrote:
> 
> > --and--
> > Checking `lkm'... You have   131 process hidden
for readdir command
> > chkproc: Warning: Possible LKM Trojan installed
> 
> I wonder if it's trying to use procfs, which isn't
mounted by default in 
> FreeBSD, and as a result reporting that /proc is empty
(which is expected). 
> You could try mounting procfs and see if the message
goes away, which would 
> answer the question -- however, we don't generaly
advise mounting procfs 
> unless it is required, as it is a deprecated feature.

In fact it's a bug in the chkproc. We are working on it to
be fixed in the 
next chkrootkit version (0.48).

Cordeiro

> 
> Robert N M Watson
> Computer Laboratory
> University of Cambridge
> _______________________________________________
> freebsd-securityfreebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
> To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"
> 
> 


_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-secu
rity
To unsubscribe, send any mail to
"freebsd-security-unsubscribefreebsd.org"