[CLUE-Tech] Suse 9.1pro and chkrootkit
Timothy Klein
teece at silverklein.net
Wed Jul 28 00:13:22 MDT 2004
On Tuesday 27 ShortJuly 2004 11:43 pm, j7s12b wrote:
> On Tuesday 27 July 2004 01:32, Timothy Klein wrote:
> > > # ./chkrootkit
> > > ....
> > > Checking `find'... INFECTED
> > > Checking `top'... INFECTED
> >
> > These look like a major problem. Have you tried running 'strings' on
> > these binaries to see if anything wonky spits out? (Assuming strings
> > isn't trojaned, too.).
>
> I did strings and nothing caught my attention.
Perhaps Suse does something to those binaries or uses an odd version that
confuses chkrootkit, as Nate Duehr said he had the same result on a machine
that is likely not compromised
I have never run into that issue with chkrootkit. But I would try to chase
that one down until I found out for sure that it was a false positive, if I
was you. Check MD5 sums, too.
However, the first site that comes up under a Google search of 'suse
chkrootkit false positives' indicates that several others have had this
problem, even off of brand new Suse installs. So, I guess Suse *is* doing
something to fool chkrootkit. Perhaps they compile those two with threading
support?
But I bet you're safe (assuming the webpage I read wasn't some clever ruse to
fool us ... :-0)
Tim
--
== Timothy Klein || teece at silverklein.net
== Vanity Page: http://tinyurl.com/vkhp
== ----------------------------------------
== Hello_World.c: 17 Errors, 31 Warnings...
More information about the clue-tech
mailing list