chkrootkit finding 2 infected files

hello NG,

i have two SuSE Linux 9.2 machines behaving strange. I booted with
Knoppix 3.7 and started chkrootkit 0.43. This finds two infected files,
find and top, both in /usr/bin.
I booted the same machines also with grml 0.8 (great stuff) and
rechecked with chkrootkit 0.46 and rkhunter (don't know the version
actual). This two tools didn't find anything. ???
O.k. I checked the md5sums of the two programms with "md5sum
/usr/bin/find" and "md5sum /usr/bin/top".
To compare this, i installed a fresh SuSE 9.2 and also created the
hashes.
They were not the same. I think i can trust the fresh installed
machine.
BUT: while googeling, i found someone having the same problem like me:
http://www.spenneberg.com/3079.html
Strange thing is i have the same hashes on the maybe infected machines
like the guy has who says he has a proper system.
So i'm wondering now about two questions:
- which hash is "the right" ?
- is it possible, that the "same" Linuxversion has different versions
of programs. Both, the two maybe infected machines and the fresh
installed said with "find --version": 4.1.20 and with "top -V": procps
version 3.2.3. Maybe different setup-medias (i don't know which i used
on the possible infected, it's a long time ago).
Here are the hashes:
1. the possible infected:
find:
54cfe2efd928f8ce1790031be4a88cc6
top:
54d2454e7f08911bcb0829f4c9ac008e

2. The fresh installed:
find:
7e9571265bd79c28b54ed82854833f15
top:
7cf74f0d5616540e0429adc75cd55d5a

- Can anyone post me his hashes of these files ?
- Does anyone knows if the "same" Linuxversions have different versions
of tools like the above mentioned ?
Thanks for any help.
Bernd

.

Relevant Pages

  • Re: Excel view probs
    ... hashes because it isn't wide enough when the same doc is opened on the ... just on the laptop it's all squished up to one side. ... machines but I've no idea how that might happen. ... Excel displays column widths based on the default font in the 'normal' ...
    (uk.comp.sys.mac)
  • Re: Hash of arrays & values function
    ... I either want a list of the machines a particular user is logged into or a list of all machines that are currently logged into. ... I'd achieved this, my question was really a general one about the 'best' way to dereference arrays within hashes, as the first respondents correctly deduced. ... but then your OP was really misleading. ...
    (comp.lang.perl.misc)
  • cant seem to find these tools/rootkit anywhere ..
    ... one of the machines on my network was rooted a week or so ago ... ... Apprt from the infected files which was used to try and hide the hack there ... ettercap which I assume was a ethersniffer or scanner .. ... ps pstree sense shad slice sshd stealth sysinfo ...
    (Incidents)
  • Re: chkrootkit output question - Unknown HZ value!???
    ... supposedly when machines are up for a loooong ass time, ... solution: reboot or upgrade ... to a newversion of procps. ... > | i'm getting some strange output from chkrootkit on one of my woody ...
    (Debian-User)
  • Microsoft Update Site has W32/Sdbot worm !!!!
    ... warned, on 2 different machines. ... I have talked with MS techs 2 times. ... infected files in thier download. ...
    (microsoft.public.win2000.windows_update)