LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 02-27-2012, 05:06 PM   #1
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 128

Rep: Reputation: Disabled
chkrootkit bindshell INFECTED PORT 4369


Hi,

I have run chkrootkit and it says:
Checking `bindshell'... INFECTED (PORTS: 4369)`

I have checked port:
netstat -an|grep 4369
# tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN
# tcp 0 0 127.0.0.1:4369 127.0.0.1:40679 ESTABLISHED
# tcp 0 0 127.0.0.1:40679 127.0.0.1:4369 ESTABLISHED

sudo lsof -i :4369
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
epmd 2701 rabbitmq 3u IPv4 15884 0t0 TCP *:epmd (LISTEN)
epmd 2701 rabbitmq 5u IPv4 14008 0t0 TCP localhost.localdomain:epmd->localhost.localdomain:40679 (ESTABLISHED)
beam.smp 2783 rabbitmq 9u IPv4 10037 0t0 TCP localhost.localdomain:40679->localhost.localdomain:epmd (ESTABLISHED)


I do not have installed portsentry.

could please anybody help me to find out to be sure if it is problem
or if it is just epmd application on local machine just using this port
and is not exploited by some rootkit ?
any more investigation possibilites and how ?

thank you,
kind regards,
M.

Last edited by masuch; 02-27-2012 at 05:41 PM.
 
Old 02-27-2012, 07:29 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,860

Rep: Reputation: 768Reputation: 768Reputation: 768Reputation: 768Reputation: 768Reputation: 768Reputation: 768
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309386

Seems like 4369 is a long-standing known issue. It is quite normal with a program like chkrootkit to find one or two false positives, and the first thing to do is to fire up your favourite search engine and check it out, rather than panicking immediately (panicking can wait 'till a little later).
 
Old 02-27-2012, 07:52 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
...and if you understand the warning as posted in the above report then here's how to patch CRT to add a port whitelist for the bindshell() test: http://www.linuxquestions.org/questi...nd-notes-2531/
 
Old 02-28-2012, 05:56 AM   #4
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 128

Original Poster
Rep: Reputation: Disabled
Hi,

Thank you folks for the answers.
I have read about the long-standing issue for port 4369, so no I am not panicking at all :-)
I am as well aware of add bindshell port to whitelist.

But my question was how to investigate to be sure that it is like that ?
I am interested in investigation process - how to go more deeply in it.

(simplfied Example: I am not specialist in linux but in windows I have been playing with source code of rootkit capable of exploited all running processes in memory.
rootkit has been using another application/s which had allowed access through the port to internet and sending packets outside the OS to another URL. So, firewall did not detect anything. Only more deep analyze of process/ess resulted to it was a rootkit. I do not want to describe it more deeply because it was on windows.) I would like to know how to do deeper analyzing in linux.
... tools,URLs,tips.)
I hope it is more clear now.

Thank you,
Kind Regards,
M.
 
Old 02-28-2012, 08:56 AM   #5
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,049

Rep: Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953Reputation: 953
The thing about rootkits is that you have to burrow extremely deeply into the system in order to "plant" one.

Quite frankly, for any exploit to be successful in a reasonably-recently patched system, you have to leave a rather large door or window open somewhere. Unfortunately for most Windows users, Microsoft helpfully does this chore for them ... collecting very lucrative profits from its de facto subsidiary companies for so doing.
 
Old 02-28-2012, 10:58 AM   #6
masuch
Member
 
Registered: Sep 2011
Location: /dev/null
Distribution: ubuntu 64bits
Posts: 128

Original Poster
Rep: Reputation: Disabled
For me, as linux newbee I believe it is quite easy to let many "open doors" to anybody :-)

:-) And more - M$ and co-operative companies forced us to better understand computers (who is interested in of course ) :-)
 
  


Reply

Tags
infected, port, rootkit


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
chkrootkit Checking `bindshell'... INFECTED (PORTS: 600) gavin2u Linux - Security 5 10-26-2011 06:51 AM
chkrootkit found an infected port qwertyjjj Linux - Newbie 13 08-16-2009 07:58 AM
chkrootkit suckit initng infected network 8% mimithebrain Linux - Security 4 03-29-2006 09:39 AM
chkrootkit found ifconfig infected ohcarol Linux - Security 4 02-28-2005 03:57 PM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 07:07 PM


All times are GMT -5. The time now is 06:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration