chkrootkit infected ports

metzenx · 12-23-2013, 05:32 PM

hi,
my chkrootkit says Checking `bindshell'... INFECTED (PORTS: 1524 6667 31337)

what's wrong? and what can I do?

thank you

edit

I'm running portsentry and logcheck, may that be a false positive?

John VV · 12-23-2013, 05:59 PM

Try using google on the errors and outpiut of chkrootkit
"INFECTED (PORTS: 1524 6667 31337)"

a 2009 post
http://ubuntuforums.org/showthread.php?t=1273168

a post from 2011
http://askubuntu.com/questions/25176...does-that-mean

descendant_command · 12-23-2013, 06:04 PM

check what is running on those ports

Code:

netstat -ntulp | grep -e '1524\|6667\|31337'

metzenx · 12-23-2013, 08:12 PM

it gives me that

PC cuervo # netstat -ntulp | grep -e '1524\|6667\|31337'
tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 1572/portsentry
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 1572/portsentry
tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN 1572/portsentry
udp 0 0 0.0.0.0:31337 0.0.0.0:* 1576/portsentry

I've been scanning my ports and don't know if I have closed them myself... don't understand

metaschima · 12-23-2013, 09:11 PM

Try rkhunter and see if it also detects any rootkits. chrootkit is getting old and unmaintained.

descendant_command · 12-23-2013, 09:48 PM

All chkrootkit does is check those ports for a listening service, as they are (were) typically used by the "nasty" it is checking for.
You have portsentry listening on them (which you have presumably set up to do so) so there is no problem.

metzenx · 12-24-2013, 09:02 AM

thank you for answering

rkhunter gives me some warnings but no rootkits

the warnings are:

/usr/bin/unhide.rb [ Warning ]
Checking for backdoor ports [ Warning ]
Checking /dev for suspicious file types [ Warning ]
Checking for hidden files and directories [ Warning ]

seems kind of scary no?

Habitual · 12-24-2013, 09:09 AM

review /var/log/rkhunter.log

lsof -i :<port> and review

6667 is suspicious as an irc port, as is 31337, (but maybe not for irc activity)

If the processes are not running, the lsof on them will return nothing.
If they are running, or recently run. lsof will show you what files started/used them.

metaschima · 12-24-2013, 11:34 AM

Port 31337 is concerning. See:
https://en.wikipedia.org/wiki/Back_Orifice
This trojan program has a unix client, are you running it by any chance ?

metzenx · 12-25-2013, 09:25 AM

Quote:

lsof -i :<port> and review

lsof returned me nothing

what about netstat -an <port> ? I would post what I got but it's a bit long... how can I check if there's something weird in there?

Quote:

This trojan program has a unix client, are you running it by any chance ?

how can I know if I'm running it?

metaschima · 12-25-2013, 12:25 PM

Check 'ps -u root'.

metzenx · 12-25-2013, 01:55 PM

Quote:

Check 'ps -u root'.

the only client I find is dhclient is that a UNIX one?

thx

metzenx · 12-25-2013, 02:09 PM

well, aparently it is

metzenx · 12-25-2013, 02:14 PM

if descendant is right would be nice, then my question is: is it possible that what rkhunter detects is portsentry listening to the ports or is it something else? sorry for my newbie talk :P

metaschima · 12-25-2013, 02:24 PM

Yeah, you may want to check its configuration, or turn it off temporarily and if the ports are no longer used.