Argh, infected!

Dan Osterrath do3 at mail.inf.tu-dresden.de
Mon Oct 13 05:13:57 PDT 2003


Am Montag, 13. Oktober 2003 13:53 schrieb Sam Barnett-Cormack:
> On Mon, 13 Oct 2003, Sam Barnett-Cormack wrote:
> > [root at mnementh chkrootkit-0.42b]# ./chkrootkit | grep INFECTED
> > Checking `netstat'... INFECTED
> >
> > Okay, so I think I understand that... now what the heck do I do about
> > it? Anyone know?
>
> Further: false alarm. chkrootkit was checking for addr.h, and this was
> in the binary *only* until it was stripped. I stripped it, and now all
> is fine.

1. Why does chkrootkit think that there is a root kit in netstat when it was 
compiled with addr.h? - Seems that it normaly does not do so and that there 
exists a root kit that does.
2. When you strip a binary you remove some extra information such as this 
binary was compiled with addr.h. If you strip it the extra information gets 
lost but it is still compiled with it and the root kit is still inside. 
Unfortunately chkrootkit can not see it anymore.

So don't be too optimistic that you are safe.

Probably you yould give us your lfs version and we could verify our results 
with yours...

-- 
----------------------------------------------------------------------
%> ln -s /dev/null /dev/brain
%> ln -s /dev/urandom /dev/world
%> dd if=/dev/world of=/dev/brain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20031013/35c361a3/attachment.sig>


More information about the lfs-security mailing list