# chkrootkit, rkhunter



## Anonymous (Jan 28, 2009)

Hi!

My system: new installed FreeBSD 7.1, KDE 3.5.10

I ran chkrootkit and I got:

...
Checking `sshd'... /usr/bin/strings: Warning: '/' is not an ordinary file
...
...
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed...

I ran rkhunter -c also and on the end I have:

System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 103
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 77
    Possible rootkits: 0

Applications checks...
    Applications checked: 4
    Suspect applications: 0

I am confused about chkrootkit and the line:
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed...

Thanks in advance.


----------



## brd@ (Jan 28, 2009)

I would check with the chkrootkit support channels, there has often been problems with it misdetecting things on FreeBSD.


----------



## Anonymous (Jan 29, 2009)

brd@ said:
			
		

> I would check with the chkrootkit support channels, there has often been problems with it misdetecting things on FreeBSD.



I got an aswer from mailing llist:

http://lists.debian.org/debian-user/2001/12/msg02253.html

...and it was false alarm.


----------



## hitest (Jan 29, 2009)

lumiwa said:
			
		

> I got an aswer from mailing llist:
> 
> http://lists.debian.org/debian-user/2001/12/msg02253.html
> 
> ...and it was false alarm.



Yeah, I usually use rkhunter as I have also received false alarms with chkrootkit.


----------



## r-c-e (Jan 30, 2009)

Both have their purpose I suppose....


----------



## Anonymous (Jan 30, 2009)

r-c-e said:
			
		

> Both have their purpose I suppose....



I belive but why this "false" positive on fresh installed computer, never connected to the internet? My friend installed yesterday and had yhe same.


----------



## rghq (Jan 30, 2009)

The rkhunter warning seems like a false-positive. Seems rkhunter checks for:

/usr/lib/libproc.a

That is installed with FreeBSD 7.1 and once found, rkhunter reports it.


----------



## morbit (Jan 30, 2009)

I personally like Lynis, even though it historically lacked specific FreeBSD scan profiling.


----------

