chkrootkit found an infected port
Got this in my file this morning:
any ideas what to do? That port isn't open for input: Code:
Checking `bindshell'... INFECTED (PORTS: 1008) Code:
Warning: This operating system is not fully supported! |
For the bindshell thing, compare this thread:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539 Check your chkrootkit version - if in doubt, get a new one and re-check; same goes for rkhunter. rpc.statd is use in context with NFS - that may be good for a false positive as described in the (very dated) bug report. M. |
Quote:
|
Maybe do a
Code:
netstat -an | grep 1008 Rkhunter can give false positives. |
Quote:
Code:
[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008 |
Add an exclusion: `grep -i port rkhunter.conf` and take it from there.
|
Quote:
Is there a way to get rid of this: grep -i port rkhunter.conf or does rkhunter not support centos? |
Quote:
M. |
Quote:
Also, what about this: Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac |
[QUOTE=qwertyjjj;3645100]The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST. Quote:
|
.....post deleted.....
|
Interesting to find a search for a rootkit called the F**k'it rootkit - lol!
On updating to 1.3.4 and re-running there were no errors about the port so must have been an old version. I have found the whitelist section in the conf file, which I swapped over so all looks good. Thanks |
[QUOTE=unSpawn;3645145]
Quote:
Quote:
|
Quote:
Quote:
Code:
--- chkrootkit.orig 2009-08-01 23:01:00.000000000 +0000 Code:
--- chkrootkit.orig 2009-08-01 23:02:00.000000000 +0000 |
All times are GMT -5. The time now is 07:23 PM. |