LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-15-2009, 06:02 AM   #1
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Rep: Reputation: 30
chkrootkit found an infected port


Got this in my file this morning:
any ideas what to do? That port isn't open for input:

Code:
Checking `bindshell'... INFECTED (PORTS:  1008)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
eth0:0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'...  The tty of the following user process(es) were not found
 in /var/run/utmp !
! RUID          PID TTY    CMD
! root         3147 tty2   /sbin/mingetty tty2
! root         3161 tty5   /sbin/mingetty tty5
! root         3165 tty6   /sbin/mingetty tty6
chkutmp: nothing deleted


[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008
rpc.statd 11002 rpcuser    7u  IPv4  63938       TCP *:1008 (LISTEN)
[root@localhost cron.daily]#
On a related note, rkhunter returns this:
Code:
Warning: This operating system is not fully supported!
All MD5 checks will be skipped!

Last edited by qwertyjjj; 08-15-2009 at 06:04 AM.
 
Old 08-15-2009, 07:02 AM   #2
MoonMind
Member
 
Registered: May 2005
Location: Switzerland
Distribution: Ubuntu
Posts: 448

Rep: Reputation: 38
For the bindshell thing, compare this thread:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

Check your chkrootkit version - if in doubt, get a new one and re-check; same goes for rkhunter. rpc.statd is use in context with NFS - that may be good for a false positive as described in the (very dated) bug report.

M.

Last edited by MoonMind; 08-15-2009 at 07:09 AM. Reason: adding more information...
 
Old 08-15-2009, 07:04 AM   #3
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by MoonMind View Post
For the bindshell thing, look here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

M.
That's an old bug from 2002 isn't it + the port is for mailservers on 465.
 
Old 08-15-2009, 07:11 AM   #4
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,527

Rep: Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898
Maybe do a
Code:
netstat -an | grep 1008
To see if anything is listening on that port

Rkhunter can give false positives.
 
Old 08-15-2009, 07:12 AM   #5
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by repo View Post
Maybe do a
Code:
netstat -an | grep 1008
To see if anything is listening on that port

Rkhunter can give false positives.
I did already

Code:
[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008
rpc.statd 11002 rpcuser    7u  IPv4  63938       TCP *:1008 (LISTEN)
[root@localhost cron.daily]#
 
Old 08-15-2009, 08:29 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.
 
Old 08-15-2009, 08:33 AM   #7
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.
port being the port number? How does grep adding an exception to the file because I ran it but can't see any changes in the rkhunter.conf file.

Is there a way to get rid of this:
grep -i port rkhunter.conf

or does rkhunter not support centos?

Last edited by qwertyjjj; 08-15-2009 at 08:36 AM.
 
Old 08-15-2009, 05:52 PM   #8
MoonMind
Member
 
Registered: May 2005
Location: Switzerland
Distribution: Ubuntu
Posts: 448

Rep: Reputation: 38
Quote:
Originally Posted by qwertyjjj View Post
That's an old bug from 2002 isn't it + the port is for mailservers on 465.
Scroll down to the discussion...

M.
 
Old 08-16-2009, 05:28 AM   #9
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.
The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?

Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac
 
Old 08-16-2009, 06:15 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
[QUOTE=qwertyjjj;3645100]The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.


Quote:
Originally Posted by qwertyjjj View Post
Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac
Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".
 
Old 08-16-2009, 06:31 AM   #11
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
.....post deleted.....

Last edited by qwertyjjj; 08-16-2009 at 06:38 AM.
 
Old 08-16-2009, 06:46 AM   #12
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
Interesting to find a search for a rootkit called the F**k'it rootkit - lol!
On updating to 1.3.4 and re-running there were no errors about the port so must have been an old version.
I have found the whitelist section in the conf file, which I swapped over so all looks good. Thanks
 
Old 08-16-2009, 06:48 AM   #13
qwertyjjj
Senior Member
 
Registered: Jul 2009
Location: UK
Distribution: Cent OS5 with Plesk
Posts: 1,012

Original Poster
Rep: Reputation: 30
[QUOTE=unSpawn;3645145]
Quote:
Originally Posted by qwertyjjj View Post
The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.



Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".
Hang on...sorry, the port is listed in chkrootkit not rkhunter

Quote:
chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?

Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.
So, I just leave them basically.

Last edited by qwertyjjj; 08-16-2009 at 06:51 AM.
 
Old 08-16-2009, 08:58 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,331
Blog Entries: 55

Rep: Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529Reputation: 3529
Quote:
Originally Posted by qwertyjjj View Post
Hang on...sorry, the port is listed in chkrootkit not rkhunter
Ah. I see. My mistake.


Quote:
Originally Posted by qwertyjjj View Post
So, I just leave them basically.
One way could be to remove the port:
Code:
--- chkrootkit.orig     2009-08-01 23:01:00.000000000 +0000
+++ chkrootkit.1008     2009-08-01 23:02:00.000000000 +0000
@@ -266,7 +266,7 @@
     fi
 }
 bindshell () {
-PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
+PORT="114|145|465|511|600|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"
    OPT="-an"
    PI=""
    if [ "${ROOTDIR}" != "/" ]; then
* Also note Chkrootkit currently still checks for /proc/ksyms instead of /proc/kallsyms (that is, in kernel 2.6 AND with CONFIG_KALLSYMS=y enabled at kernel compile time):
Code:
--- chkrootkit.orig     2009-08-01 23:02:00.000000000 +0000
+++ chkrootkit.1008     2009-08-01 23:03:00.000000000 +0000
@@ -306,7 +306,7 @@
       fi

       if [ "${EXPERT}" = "t" ]; then
-         [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null
+         [ -r /proc/kallsyms ] &&  ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null
          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null
          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`
          [ "$PV" = "" ] &&  PV=2
@@ -316,14 +316,14 @@
       fi

       ### adore LKM
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Adore LKM installed"
       fi

       ### sebek LKM (Adore based)
-      [ -r /proc/ksyms ] && \
-      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then
+      [ -r /proc/kallsyms ] && \
+      if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then
          echo "Warning: Sebek LKM installed"
       fi
I pointed Nelson at Debian Bug #411128 ages ago but he's even more stubborn I am.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 10 07-13-2016 12:53 PM
chkrootkit Checking `bindshell'... INFECTED (PORTS: 600) gavin2u Linux - Security 5 10-26-2011 07:51 AM
chkrootkit suckit initng infected network 8% mimithebrain Linux - Security 4 03-29-2006 10:39 AM
chkrootkit found ifconfig infected ohcarol Linux - Security 4 02-28-2005 04:57 PM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 08:07 PM


All times are GMT -5. The time now is 02:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration