chkrootkit Checking `bindshell'... INFECTED (PORTS: 600)
Quote:
what could i do then! thx in advance :) |
You could check what is listening on that port with:
Code:
netstat -pane | grep 600 |
To add to that: Gileads advice of netstat plus lsof can help you see if that's a legitimate service running on port TCP/600 if you don't know that yourself. That is necessary because Chkrootkit only triggers on the port number itself. If you run a legitimate service then it's a false positive.
|
First of all, do a full port scan of your system:
nmap 127.0.0.1 After that do a netstat -plant | grep 600, look for the service/process listening on 600. It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries. You should check their md5sums and stuff. If they're infected, replace them with original copies. |
Quote:
Quote:
Quote:
|
I got this thing when chkrootkit did a system check in the morning(cron job). I have started chkrootkit again later on because i did not see the e-mail this morning and no infected port 600, nmap 127.0.0.1 and netstat -plant | grep 600 did not found a thing. Rkhunter is running he did not found nothing either; i suspect that a service used the port while chkrootkit was running (service not in whitelist) so if your did not receive this in any other day before the day it happened for the first time and of course you have a firewall (i have 2 ) then this is another false positive from chkrootkit. Personally on my box only port 80 and 28838 are opened... so its really weird in a certain way.
OS: openSUSE Tumbleweed (using openSUSE 11.4 as base) x86_64. |
All times are GMT -5. The time now is 11:35 AM. |