Anders Johansson <andjoh@rydsbo.net> wrote:
On Sunday 01 February 2004 06.25, David Herman wrote:
Continuing my investigation I booted up my test machine w/ SuSE 9.0 ran checkrootkit and it showed all clean.
Then I used synaptic and updated ps (ps_2003.11.17-18_i586.rpm) and nothing else then I ran chkroot again and the errors are there.
chkrootkit is reacting to the string /prof in top. That string isn't in the src.rpm, but it is in the binary. That alone is very suspicious. It does look like kraxel's binaries are infected.
I wonder what other niceties are in the binaries in the apt repo
David, compared to you and Anders, I am just a lost babe in the woods, but given what you have done and Togan's comment 3 emails back: http://lists.suse.com/archive/suse-linux-e/2004-Jan/4610.html I am surprized that you have not posted this on suse-security mailing list: http://www.suse.com/us/private/support/online_help/mailinglists/index.html Or maybe you have and I just missed it. Friendly greetings, Gar -- __________________________________________________________________ New! Unlimited Netscape Internet Service. Only $9.95 a month -- Sign up today at http://isp.netscape.com/register Act now to get a personalized email address! Netscape. Just the Net You Need.