Latest version of chkrootkit

Hi all,

The latest chkrootkit, avaliable at http://www.chkrootkit.org/, is version
0.43 and was released in late December of last year. As I understand, this
version is not fully compatible with kernel 2.6 (please correct me if I am
wrong), and for example on suse 9.1 out-of-the-box it claims that "find"
and "top" commands are infected and processes may be running hidden from
"ps" command.

Some time ago someone on this group was kind enough to point me to the
following site for an updated (fixed) version of chkrootkit.

http://trific.ath.cx/resources/rpm/chkrootkit/

My question is, does anyone know why the official chkrootkit site,
chkrootkit.org, has not updated to this version? Does anyone know when the
next update to it will be released?

Thanks,
RS

rsina <rsina.no-ssppaamm@earthlink.net> wrote in
news:hIZZc.3375$Wv5.1149@newsread3.news.atl.earthl ink.net:

>
> http://trific.ath.cx/resources/rpm/chkrootkit/
>
> My question is, does anyone know why the official chkrootkit site,
> chkrootkit.org, has not updated to this version? Does anyone know when
> the next update to it will be released?

Thats a good question. I would be wondering the same.

Considering the number of .cx sites that show up in my honeypots I dont
think I would go to one out of the blue that offered me an updated and
fixed security software. And how was it fixed? Was the check just removed?

Yes I get that error with mine. And the first time it happened I did some
searching. Luckily Im not the "reformat and start over" reaction group so I
see where it can be a problem for some but I think I will continue to wait
for the main site to offer an update. IMHO

Gandalf Parker

On 2004-09-03, rsina <rsina.no-ssppaamm@earthlink.net> wrote:


> The latest chkrootkit, avaliable at http://www.chkrootkit.org/, is version
> 0.43 and was released in late December of last year. As I understand, this
> version is not fully compatible with kernel 2.6 (please correct me if I am
> wrong), and for example on suse 9.1 out-of-the-box it claims that "find"
> and "top" commands are infected and processes may be running hidden from
> "ps" command.

Also, anything you pack with UPX packer will be labled as "INFECTED".
Unpack it and it's clean. Pack it again and it's again INFECTED!

Infected with UPX? :P

--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

On 2004-09-03, Gandalf Parker <gandalf@most.of.my.favorite.sites> wrote:

>> http://trific.ath.cx/resources/rpm/chkrootkit/

> Considering the number of .cx sites that show up in my honeypots I dont
> think I would go to one out of the blue that offered me an updated and
> fixed security software

A bit OT, but... .ath.cx is from a company that makes names point to
dynamic IP address, so that even though your IP may change constantly
(like with a PPP link, for example), you can still have most of the
benefit of a static hostname. It's about the only way to run any sort
of server from a dynamic address (and still have people be able to
find you day after day). I have used one for over a year now. It's a
very nice service, and they don't charge. This company also offers
other address-related services, some pay, some free.

If you're running Linux and you want to run a httpd or ftpd, it's a
good option if you can't get a static IP for some reason.

--
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

jayjwa <jayjwa@nowhere.org> wrote in
news:slrncjo2kh.o5i.jayjwa@atr2.ath.cx:

> It's about the only way to run any sort
> of server from a dynamic address (and still have people be able to
> find you day after day). I have used one for over a year now. It's a
> very nice service, and they don't charge. This company also offers
> other address-related services, some pay, some free.
>
> If you're running Linux and you want to run a httpd or ftpd, it's a
> good option if you can't get a static IP for some reason.

Thank you for that information. It does sound like a very useful service.

Hmmm on the other hand I think it would make me even less likely to
download a security fix from such a site.

Gandalf Parker