chkrootkit bindshell INFECTED PORT 4369
 

Hi,

I have run chkrootkit and it says:
Checking `bindshell'... INFECTED (PORTS: 4369)`

I have checked port:
netstat -an|grep 4369
# tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN
# tcp 0 0 127.0.0.1:4369 127.0.0.1:40679 ESTABLISHED
# tcp 0 0 127.0.0.1:40679 127.0.0.1:4369 ESTABLISHED

sudo lsof -i :4369
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
epmd 2701 rabbitmq 3u IPv4 15884 0t0 TCP *:epmd (LISTEN)
epmd 2701 rabbitmq 5u IPv4 14008 0t0 TCP localhost.localdomain:epmd->localhost.localdomain:40679 (ESTABLISHED)
beam.smp 2783 rabbitmq 9u IPv4 10037 0t0 TCP localhost.localdomain:40679->localhost.localdomain:epmd (ESTABLISHED)


I do not have installed portsentry.

could please anybody help me to find out to be sure if it is problem
or if it is just epmd application on local machine just using this port
and is not exploited by some rootkit ?
any more investigation possibilites and how ?

thank you,
kind regards,
M.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309386

Seems like 4369 is a long-standing known issue. It is quite normal with a program like chkrootkit to find one or two false positives, and the first thing to do is to fire up your favourite search engine and check it out, rather than panicking immediately (panicking can wait 'till a little later).

...and if you understand the warning as posted in the above report then here's how to patch CRT to add a port whitelist for the bindshell() test: http://www.linuxquestions.org/questi...nd-notes-2531/

Hi,

Thank you folks for the answers.
I have read about the long-standing issue for port 4369, so no I am not panicking at all :-)
I am as well aware of add bindshell port to whitelist.

But my question was how to investigate to be sure that it is like that ?
I am interested in investigation process - how to go more deeply in it.

(simplfied Example: I am not specialist in linux but in windows I have been playing with source code of rootkit capable of exploited all running processes in memory.
rootkit has been using another application/s which had allowed access through the port to internet and sending packets outside the OS to another URL. So, firewall did not detect anything. Only more deep analyze of process/ess resulted to it was a rootkit. I do not want to describe it more deeply because it was on windows.) I would like to know how to do deeper analyzing in linux.
... tools,URLs,tips.)
I hope it is more clear now.

Thank you,
Kind Regards,
M.

The thing about rootkits is that you have to burrow extremely deeply into the system in order to "plant" one.

Quite frankly, for any exploit to be successful in a reasonably-recently patched system, you have to leave a rather large door or window open somewhere. Unfortunately for most Windows users, Microsoft helpfully does this chore for them ... collecting very lucrative profits from its de facto subsidiary companies for so doing.

For me, as linux newbee I believe it is quite easy to let many "open doors" to anybody :-)

:-) And more - M$ and co-operative companies forced us to better understand computers (who is interested in of course ) :-)