-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday 01 February 2004 04:47 pm, David Herman wrote: So I got a mail to the suse-security list yesterday and recieved a couple of replies. Sounds like it is (most likely) a false positive. For those that are interested here are the 2 replies: ====================================== first from Sebastian Krahmer Hi, I think this is a false positive from chkrootkit. I downloaded the ps package from ftp://ftp.gwdg.de/pub/linux/suse/apt/SuSE/9.0-i386 and indeed there is "/prof" string in ps and top. But this is ok. The string is inside .text and is executable code. This is: ... 0x8055205: call 0x8049700 strtoul() 0x805520a: mov 0xc(%ebp),%edx 0x805520d: mov %eax,0x1b8(%edx) 0x8055213: mov %eax,(%edx) 0x8055215: movl $0x6f72702f,(%esi) ; /prof 0x805521b: movw $0x2f63,0x4(%esi) 0x8055221: mov 0x226fc(%ebx),%eax 0x8055227: add $0xb,%eax 0x805522a: mov %eax,0x4(%esp,1) 0x805522e: lea 0x6(%esi),%eax 0x8055231: mov %eax,(%esp,1) 0x8055234: call 0x8049780 strcpy() ... The code in C is: pid = strtoul(ent->d_name, NULL, 10); memcpy(path, "/proc/", 6); strcpy(path+6, ent->d_name); and comes from the original ps source. The compiler optimized the memcpy() into a movl+movw since /pro is 32 bit and the left 2 byte are copied via movw. This just yields "/prof" string in .text. regards, Sebastian ============================================= Followed by this from Lenz Grimmer: Hi, JFYI, for those of you who are not on suse-security... Seems like it was (fortunately) a false alarm. But still, I too would appreciate if the packages in the "people" directory were signed at least with the developer's key. Bye, LenZ =============================================== So there you have it,much thanks to all who participated in this thread, If anyone knows more I'm still interested but It sounds like a false alarm. Have a great day - -- dh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFAHmeoBwgxlylUsJARArqtAJ9QcdZBR9AB2z9wVJr92FW7S5DsSgCdHgII 99Q+9pqwIXKAZowSe9MMTsk= =4FEa -----END PGP SIGNATURE-----