Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


Search this Thread
Old 02-27-2012, 05:06 PM   #1
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 135

Rep: Reputation: 1
chkrootkit bindshell INFECTED PORT 4369


I have run chkrootkit and it says:
Checking `bindshell'... INFECTED (PORTS: 4369)`

I have checked port:
netstat -an|grep 4369
# tcp 0 0* LISTEN

sudo lsof -i :4369
epmd 2701 rabbitmq 3u IPv4 15884 0t0 TCP *:epmd (LISTEN)
epmd 2701 rabbitmq 5u IPv4 14008 0t0 TCP localhost.localdomain:epmd->localhost.localdomain:40679 (ESTABLISHED)
beam.smp 2783 rabbitmq 9u IPv4 10037 0t0 TCP localhost.localdomain:40679->localhost.localdomain:epmd (ESTABLISHED)

I do not have installed portsentry.

could please anybody help me to find out to be sure if it is problem
or if it is just epmd application on local machine just using this port
and is not exploited by some rootkit ?
any more investigation possibilites and how ?

thank you,
kind regards,

Last edited by masuch; 02-27-2012 at 05:41 PM.
Old 02-27-2012, 07:29 PM   #2
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,958

Rep: Reputation: 809Reputation: 809Reputation: 809Reputation: 809Reputation: 809Reputation: 809Reputation: 809

Seems like 4369 is a long-standing known issue. It is quite normal with a program like chkrootkit to find one or two false positives, and the first thing to do is to fire up your favourite search engine and check it out, rather than panicking immediately (panicking can wait 'till a little later).
Old 02-27-2012, 07:52 PM   #3
Registered: May 2001
Posts: 28,435
Blog Entries: 54

Rep: Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240Reputation: 3240
...and if you understand the warning as posted in the above report then here's how to patch CRT to add a port whitelist for the bindshell() test:
Old 02-28-2012, 05:56 AM   #4
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 135

Original Poster
Rep: Reputation: 1

Thank you folks for the answers.
I have read about the long-standing issue for port 4369, so no I am not panicking at all :-)
I am as well aware of add bindshell port to whitelist.

But my question was how to investigate to be sure that it is like that ?
I am interested in investigation process - how to go more deeply in it.

(simplfied Example: I am not specialist in linux but in windows I have been playing with source code of rootkit capable of exploited all running processes in memory.
rootkit has been using another application/s which had allowed access through the port to internet and sending packets outside the OS to another URL. So, firewall did not detect anything. Only more deep analyze of process/ess resulted to it was a rootkit. I do not want to describe it more deeply because it was on windows.) I would like to know how to do deeper analyzing in linux.
... tools,URLs,tips.)
I hope it is more clear now.

Thank you,
Kind Regards,
Old 02-28-2012, 08:56 AM   #5
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,652

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
The thing about rootkits is that you have to burrow extremely deeply into the system in order to "plant" one.

Quite frankly, for any exploit to be successful in a reasonably-recently patched system, you have to leave a rather large door or window open somewhere. Unfortunately for most Windows users, Microsoft helpfully does this chore for them ... collecting very lucrative profits from its de facto subsidiary companies for so doing.
Old 02-28-2012, 10:58 AM   #6
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 135

Original Poster
Rep: Reputation: 1
For me, as linux newbee I believe it is quite easy to let many "open doors" to anybody :-)

:-) And more - M$ and co-operative companies forced us to better understand computers (who is interested in of course ) :-)


infected, port, rootkit

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit Checking `bindshell'... INFECTED (PORTS: 600) gavin2u Linux - Security 5 10-26-2011 06:51 AM
chkrootkit found an infected port qwertyjjj Linux - Newbie 13 08-16-2009 07:58 AM
chkrootkit suckit initng infected network 8% mimithebrain Linux - Security 4 03-29-2006 09:39 AM
chkrootkit found ifconfig infected ohcarol Linux - Security 4 02-28-2005 03:57 PM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 07:07 PM

All times are GMT -5. The time now is 04:11 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration