LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   chkrootkit Checking `bindshell'... INFECTED (PORTS: 600) (https://www.linuxquestions.org/questions/linux-security-4/chkrootkit-checking-%60bindshell-infected-ports-600-a-653981/)

gavin2u 07-06-2008 10:07 PM
chkrootkit Checking `bindshell'... INFECTED (PORTS: 600)
 
Quote:
#chkrootkit | grep INFECTED
Checking `bindshell'... INFECTED (PORTS: 600)
INFECTED?!

what could i do then!

thx in advance :)

gilead 07-06-2008 11:18 PM
You could check what is listening on that port with:
Code:
netstat -pane | grep 600
You could also use lsof to see which files are open for that socket. Are you getting any other warnings and have you cross-checked your results with rkhunter?

unSpawn 07-07-2008 08:00 AM
To add to that: Gileads advice of netstat plus lsof can help you see if that's a legitimate service running on port TCP/600 if you don't know that yourself. That is necessary because Chkrootkit only triggers on the port number itself. If you run a legitimate service then it's a false positive.

simonapnic 07-08-2008 07:40 AM
First of all, do a full port scan of your system:
nmap 127.0.0.1
After that do a netstat -plant | grep 600, look for the service/process listening on 600.
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries. You should check their md5sums and stuff. If they're infected, replace them with original copies.

unSpawn 07-08-2008 10:50 AM
Quote:
Originally Posted by simonapnic (Post 3207556)
First of all, do a full port scan of your system: nmap 127.0.0.1
That only makes sense if you suspect more problems than this single port. In general the idea of checking more makes sense, but even then using any other local port-listing tool would do IMHO.


Quote:
Originally Posted by simonapnic (Post 3207556)
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries.
That is good advice. It should be followed by something like "run your tests from a Live CD like KNOPPIX, HELIX or your distributions installation CDs in rescue mode (if possible) if you suspect tampering or don't trust results".


Quote:
Originally Posted by simonapnic (Post 3207556)
You should check their md5sums and stuff. If they're infected, replace them with original copies.
That is seriously ill advice, please don't! If binaries are subverted, then whole box is untrustworthy and should be handled as such. Patching things up and reinstalling some binaries like nothing happened before is not good. See the "run from CD" part and maybe check the CERT links that get posted regularly: http://www.cert.org/tech_tips/intrud...checklist.html and http://www.cert.org/tech_tips/root_compromise.html.

creatura85 10-26-2011 06:51 AM
I got this thing when chkrootkit did a system check in the morning(cron job). I have started chkrootkit again later on because i did not see the e-mail this morning and no infected port 600, nmap 127.0.0.1 and netstat -plant | grep 600 did not found a thing. Rkhunter is running he did not found nothing either; i suspect that a service used the port while chkrootkit was running (service not in whitelist) so if your did not receive this in any other day before the day it happened for the first time and of course you have a firewall (i have 2 ) then this is another false positive from chkrootkit. Personally on my box only port 80 and 28838 are opened... so its really weird in a certain way.

OS: openSUSE Tumbleweed (using openSUSE 11.4 as base) x86_64.


All times are GMT -5. The time now is 11:35 AM.