This topic drifted off the original question and I apologize for turning it back but
security/chckrootkit is reporting
INFECTED: Possible Malicious Syslogk LKM rootkit installed
on two fresh boxes both running
14.0-RELEASE-p6 #0
when I execute
chkrootkit -q -n
.
I can't find any indication by any other means (such as
security/rkhunter,
sysutils/lsof,
security/nmap,
security/unhide). Even stranger, running the
chkrootkit -x -n
(expert, verbose output) and filtering with grep does not report any "infected" or "Syslogk" entries.
Code:
# chkrootkit -x -n | grep -B5 -i infected
.got.plt
.bss
.comment
.gnu_debuglink
not tested
not infected
--
.data
.got.plt
.bss
.comment
.gnu_debuglink
not infected
--
.data
.got.plt
.bss
.comment
.gnu_debuglink
not infected
/usr/local/sbin/chkrootkit: -SIGCONT: not found
/usr/local/sbin/chkrootkit: -SIGCONT: not found
--
not found
###
### Output of: /usr/local/sbin/ifpromisc
###
bge0 is not promisc
not infected
###
### Output of: /usr/local/sbin/chkwtmp -f wtmp
###
not infected
not infected
Nor any open ports found with X,F,T,N, or A
nmap
options that weren't expected and enumerated by
sockstat
.
I'm disinclined to be too concerned, though based on
this article I did configure a rule to drop any packets with a source port of 59318 and a full file system search for
PgSD93ql (nothing). Are we facing a novel Syslogk FreeBSD variant or false positives from
security/chckrootkit?