Re: can netstat be infected

To: Darrel <levitch%iglou.com@localhost>
Subject: Re: can netstat be infected
From: "Jeremy C. Reed" <reed%reedmedia.net@localhost>
Date: Tue, 10 Jul 2012 12:48:24 -0500 (CDT)

On Tue, 10 Jul 2012, Darrel wrote:

> I have a recent installation of NetBSD beta, which has been rebuilt
> once.
> 
> chkrootkit reports that fstat is infected:

netstat not fstat.

> Checking `mingetty'... not found
> Checking `netstat'... INFECTED
> Checking `named'... not infected

The chkrootkit looks for a pattern in the strings output.

strings -a /usr/bin/netstat | egrep 
"/dev/hdl0/dev/xdta|/dev/ttyoa|/dev/pty[pqrsx]|/dev/cui|/dev/hdn0|/dev/cui221|/dev/dszy|/dev/ddth3|/dev/caca|^/prof|/dev/tux|grep|addr\.h"

So why does it think it is infected for you?

The package message says "Please note that using chkrootkit on a 
non-supported platform may lead to false positive results." It is only 
documented to have been tested on NetBSD for version 1.6.x.

References:
- can netstat be infected
  - From: Darrel

Prev by Date: Re: chkrootkit pblm netstat
Next by Date: Re: chkrootkit pblm netstat
Previous by Thread: can netstat be infected
Next by Thread: chkrootkit pblm netstat
Indexes:

Home | Main Index | Thread Index | Old Index