1 |
On Sunday 27 March 2011 22:09:00 walt wrote: |
2 |
> I just got an email from cron on my ~amd64 machine, containing these lines: |
3 |
> |
4 |
> Checking 'find'... INFECTED |
5 |
> Checking 'netstat'... INFECTED |
6 |
> |
7 |
> Took me a few minutes to deduce that sys-forensics/chkrootkit was the |
8 |
> source of those messages. I ran chkrootkit manually and found the same |
9 |
> messages in the output. |
10 |
> |
11 |
> I then nervously re-emerged findutils and net-tools, but chkrootkit again |
12 |
> found the same binaries to be "INFECTED". |
13 |
> |
14 |
> Running chkrootkit on my ~x86 machine turns up no such infections even |
15 |
> though the same packages are installed on both machines. |
16 |
> |
17 |
> Anyone have any insight into how chkrootkit works, or why the different |
18 |
> results? |
19 |
> |
20 |
> Or, can anyone reproduce my problem? |
21 |
> |
22 |
> Thanks. |
23 |
|
24 |
Just ran this on my stable amd64 PC and it looks OK: |
25 |
|
26 |
... |
27 |
Checking `find'... not infected <--- |
28 |
Checking `fingerd'... not found |
29 |
Checking `gpm'... not infected |
30 |
Checking `grep'... not infected |
31 |
Checking `hdparm'... not found |
32 |
Checking `su'... not infected |
33 |
Checking `ifconfig'... not infected |
34 |
Checking `inetd'... not tested |
35 |
Checking `inetdconf'... not found |
36 |
Checking `identd'... not found |
37 |
Checking `init'... not infected |
38 |
Checking `killall'... not infected |
39 |
Checking `ldsopreload'... not infected |
40 |
Checking `login'... not infected |
41 |
Checking `ls'... not infected |
42 |
Checking `lsof'... not infected |
43 |
Checking `mail'... not infected |
44 |
Checking `mingetty'... not found |
45 |
Checking `netstat'... not infected <--- |
46 |
... |
47 |
|
48 |
Did you run anything suspicious on your system? |
49 |
-- |
50 |
Regards, |
51 |
Mick |