LinuxQuestions.org - chkrootkit found an infected port

- Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)

- - chkrootkit found an infected port (https://www.linuxquestions.org/questions/linux-newbie-8/chkrootkit-found-an-infected-port-747721/)

chkrootkit found an infected port

Got this in my file this morning:
any ideas what to do? That port isn't open for input:

Code:

Checking `bindshell'... INFECTED (PORTS:  1008)

Checking `lkm'... chkproc: nothing detected

Checking `rexedcs'... not found

Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets

eth0:0: not promisc and no PF_PACKET sockets

Checking `w55808'... not infected

Checking `wted'... chkwtmp: nothing deleted

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'... chklastlog: nothing deleted

Checking `chkutmp'...  The tty of the following user process(es) were not found

 in /var/run/utmp !

! RUID          PID TTY    CMD

! root        3147 tty2  /sbin/mingetty tty2

! root        3161 tty5  /sbin/mingetty tty5

! root        3165 tty6  /sbin/mingetty tty6

chkutmp: nothing deleted





[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008

rpc.statd 11002 rpcuser    7u  IPv4  63938      TCP *:1008 (LISTEN)

[root@localhost cron.daily]#

On a related note, rkhunter returns this:

Code:

Warning: This operating system is not fully supported!

All MD5 checks will be skipped!

For the bindshell thing, compare this thread:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

Check your chkrootkit version - if in doubt, get a new one and re-check; same goes for rkhunter. rpc.statd is use in context with NFS - that may be good for a false positive as described in the (very dated) bug report.

M.

Quote:

Originally Posted by MoonMind (Post 3644222)

For the bindshell thing, look here:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=160539

M.

That's an old bug from 2002 isn't it + the port is for mailservers on 465.

Maybe do a

Code:

netstat -an | grep 1008

To see if anything is listening on that port

Rkhunter can give false positives.

Quote:

Originally Posted by repo (Post 3644235)

Maybe do a

Code:

netstat -an | grep 1008

To see if anything is listening on that port

Rkhunter can give false positives.

I did already :)

Code:

[root@localhost cron.daily]# /usr/sbin/lsof -P -n -i | grep 1008

rpc.statd 11002 rpcuser    7u  IPv4  63938      TCP *:1008 (LISTEN)

[root@localhost cron.daily]#

Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

Quote:

Originally Posted by unSpawn (Post 3644295)

Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

port being the port number? How does grep adding an exception to the file because I ran it but can't see any changes in the rkhunter.conf file.

Is there a way to get rid of this:
grep -i port rkhunter.conf

or does rkhunter not support centos?

Quote:

Originally Posted by qwertyjjj (Post 3644224)

That's an old bug from 2002 isn't it + the port is for mailservers on 465.

Scroll down to the discussion...

M.

Quote:

Originally Posted by unSpawn (Post 3644295)

Add an exclusion: `grep -i port rkhunter.conf` and take it from there.

The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?

Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac

[QUOTE=qwertyjjj;3645100]The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.

Quote:

Originally Posted by qwertyjjj (Post 3645100)

Also, what about this:
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /usr/lib/gtk-2.0/immodules/.relocation-tag /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac

Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".

.....post deleted.....

Interesting to find a search for a rootkit called the F**k'it rootkit - lol!
On updating to 1.3.4 and re-running there were no errors about the port so must have been an old version.
I have found the whitelist section in the conf file, which I swapped over so all looks good. Thanks

[QUOTE=unSpawn;3645145]

Quote:

Originally Posted by qwertyjjj (Post 3645100)

The exclusion didn't seem to work with that command. Is there a section in rkhunter.conf for exclusions?
It's not a command that enables whitelisting the port but (in a RKH 1.3.4 version) a way to draw your attention to whitelisting in rkhunter.conf. If you run 1.3.4 then read the section where it reads PORT_WHITELIST.

Files whose filename begin with a dot were used in the past millennium as a way to hide them because they will only be listed when "-a" is used in 'ls'. Please read the accompanying FAQ, chapter 3 "USAGE QUESTIONS".

Hang on...sorry, the port is listed in chkrootkit not rkhunter :)

Quote:

chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?

Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs.

So, I just leave them basically.

Quote:

Originally Posted by qwertyjjj (Post 3645171)

Hang on...sorry, the port is listed in chkrootkit not rkhunter :)

Ah. I see. My mistake.

Quote:

Originally Posted by qwertyjjj (Post 3645171)

So, I just leave them basically.

One way could be to remove the port:

Code:

--- chkrootkit.orig    2009-08-01 23:01:00.000000000 +0000

+++ chkrootkit.1008    2009-08-01 23:02:00.000000000 +0000

@@ -266,7 +266,7 @@

    fi

 }

 bindshell () {

-PORT="114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"

+PORT="114|145|465|511|600|1524|1999|1978|2881|3049|3133|3879|4000|4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|45454|47017|47889|60001|7222"

    OPT="-an"

    PI=""

    if [ "${ROOTDIR}" != "/" ]; then

* Also note Chkrootkit currently still checks for /proc/ksyms instead of /proc/kallsyms (that is, in kernel 2.6 AND with CONFIG_KALLSYMS=y enabled at kernel compile time):

Code:

--- chkrootkit.orig    2009-08-01 23:02:00.000000000 +0000

+++ chkrootkit.1008    2009-08-01 23:03:00.000000000 +0000

@@ -306,7 +306,7 @@

      fi



      if [ "${EXPERT}" = "t" ]; then

-        [ -r /proc/ksyms ] &&  ${egrep} -i "adore|sebek" < /proc/ksyms 2>/dev/null

+        [ -r /proc/kallsyms ] &&  ${egrep} -i "adore|sebek" < /proc/kallsyms 2>/dev/null

          [ -d /proc/knark ] &&  ${ls} -la /proc/knark 2> /dev/null

          PV=`$ps -V 2>/dev/null| $cut -d " " -f 3 |${awk} -F . '{ print $1 "." $2 $3 }' | ${awk} '{ if ($0 > 3.19) print 3; else if ($0 < 2.015) print 1; else print 2 }'`

          [ "$PV" = "" ] &&  PV=2

@@ -316,14 +316,14 @@

      fi



      ### adore LKM

-      [ -r /proc/ksyms ] && \

-      if `${egrep} -i adore < /proc/ksyms >/dev/null 2>&1`; then

+      [ -r /proc/kallsyms ] && \

+      if `${egrep} -i adore < /proc/kallsyms >/dev/null 2>&1`; then

          echo "Warning: Adore LKM installed"

      fi



      ### sebek LKM (Adore based)

-      [ -r /proc/ksyms ] && \

-      if `${egrep} -i sebek < /proc/ksyms >/dev/null 2>&1`; then

+      [ -r /proc/kallsyms ] && \

+      if `${egrep} -i sebek < /proc/kallsyms >/dev/null 2>&1`; then

          echo "Warning: Sebek LKM installed"

      fi

I pointed Nelson at Debian Bug #411128 ages ago but he's even more stubborn I am.