Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64
Date: Mon, 28 Mar 2011 08:07:34
Message-Id: 201103280905.56217.michaelkintzios@gmail.com
In Reply to: [gentoo-user] sys-forensics/chkrootkit finds INFECTED binaries on ~amd64 by walt
1 On Sunday 27 March 2011 22:09:00 walt wrote:
2 > I just got an email from cron on my ~amd64 machine, containing these lines:
3 >
4 > Checking 'find'... INFECTED
5 > Checking 'netstat'... INFECTED
6 >
7 > Took me a few minutes to deduce that sys-forensics/chkrootkit was the
8 > source of those messages. I ran chkrootkit manually and found the same
9 > messages in the output.
10 >
11 > I then nervously re-emerged findutils and net-tools, but chkrootkit again
12 > found the same binaries to be "INFECTED".
13 >
14 > Running chkrootkit on my ~x86 machine turns up no such infections even
15 > though the same packages are installed on both machines.
16 >
17 > Anyone have any insight into how chkrootkit works, or why the different
18 > results?
19 >
20 > Or, can anyone reproduce my problem?
21 >
22 > Thanks.
23
24 Just ran this on my stable amd64 PC and it looks OK:
25
26 ...
27 Checking `find'... not infected <---
28 Checking `fingerd'... not found
29 Checking `gpm'... not infected
30 Checking `grep'... not infected
31 Checking `hdparm'... not found
32 Checking `su'... not infected
33 Checking `ifconfig'... not infected
34 Checking `inetd'... not tested
35 Checking `inetdconf'... not found
36 Checking `identd'... not found
37 Checking `init'... not infected
38 Checking `killall'... not infected
39 Checking `ldsopreload'... not infected
40 Checking `login'... not infected
41 Checking `ls'... not infected
42 Checking `lsof'... not infected
43 Checking `mail'... not infected
44 Checking `mingetty'... not found
45 Checking `netstat'... not infected <---
46 ...
47
48 Did you run anything suspicious on your system?
49 --
50 Regards,
51 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature