Argh, infected!

Dan Osterrath do3 at mail.inf.tu-dresden.de
Mon Oct 13 05:19:13 PDT 2003


Am Montag, 13. Oktober 2003 14:13 schrieb Dan Osterrath:
> Am Montag, 13. Oktober 2003 13:53 schrieb Sam Barnett-Cormack:
> > On Mon, 13 Oct 2003, Sam Barnett-Cormack wrote:
> > > [root at mnementh chkrootkit-0.42b]# ./chkrootkit | grep INFECTED
> > > Checking `netstat'... INFECTED
> > >
> > > Okay, so I think I understand that... now what the heck do I do about
> > > it? Anyone know?
> >
> > Further: false alarm. chkrootkit was checking for addr.h, and this was
> > in the binary *only* until it was stripped. I stripped it, and now all
> > is fine.
>
> 1. Why does chkrootkit think that there is a root kit in netstat when it
> was compiled with addr.h? - Seems that it normaly does not do so and that
> there exists a root kit that does.
> 2. When you strip a binary you remove some extra information such as this
> binary was compiled with addr.h. If you strip it the extra information gets
> lost but it is still compiled with it and the root kit is still inside.
> Unfortunately chkrootkit can not see it anymore.
>
> So don't be too optimistic that you are safe.
>
> Probably you yould give us your lfs version and we could verify our results
> with yours...

My netstat is infected, too. LFS 4.0, net-tools 1.60
Could anyone try it with a recent LFS? Probably its just a problem with the 
build instructions...

-- 
----------------------------------------------------------------------
%> ln -s /dev/null /dev/brain
%> ln -s /dev/urandom /dev/world
%> dd if=/dev/world of=/dev/brain
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20031013/08c51766/attachment.sig>


More information about the lfs-security mailing list