LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 07-06-2008, 11:07 PM   #1
gavin2u
Member
 
Registered: Nov 2007
Location: Beijing, China
Distribution: Any free distro.
Posts: 47

Rep: Reputation: 15
Question chkrootkit Checking `bindshell'... INFECTED (PORTS: 600)


Quote:
#chkrootkit | grep INFECTED
Checking `bindshell'... INFECTED (PORTS: 600)
INFECTED?!

what could i do then!

thx in advance
 
Old 07-07-2008, 12:18 AM   #2
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,138

Rep: Reputation: 168Reputation: 168
You could check what is listening on that port with:
Code:
netstat -pane | grep 600
You could also use lsof to see which files are open for that socket. Are you getting any other warnings and have you cross-checked your results with rkhunter?
 
Old 07-07-2008, 09:00 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
To add to that: Gileads advice of netstat plus lsof can help you see if that's a legitimate service running on port TCP/600 if you don't know that yourself. That is necessary because Chkrootkit only triggers on the port number itself. If you run a legitimate service then it's a false positive.
 
Old 07-08-2008, 08:40 AM   #4
simonapnic
Member
 
Registered: Jul 2008
Posts: 70

Rep: Reputation: 16
Post

First of all, do a full port scan of your system:
nmap 127.0.0.1
After that do a netstat -plant | grep 600, look for the service/process listening on 600.
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries. You should check their md5sums and stuff. If they're infected, replace them with original copies.
 
Old 07-08-2008, 11:50 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
Quote:
Originally Posted by simonapnic View Post
First of all, do a full port scan of your system: nmap 127.0.0.1
That only makes sense if you suspect more problems than this single port. In general the idea of checking more makes sense, but even then using any other local port-listing tool would do IMHO.


Quote:
Originally Posted by simonapnic View Post
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries.
That is good advice. It should be followed by something like "run your tests from a Live CD like KNOPPIX, HELIX or your distributions installation CDs in rescue mode (if possible) if you suspect tampering or don't trust results".


Quote:
Originally Posted by simonapnic View Post
You should check their md5sums and stuff. If they're infected, replace them with original copies.
That is seriously ill advice, please don't! If binaries are subverted, then whole box is untrustworthy and should be handled as such. Patching things up and reinstalling some binaries like nothing happened before is not good. See the "run from CD" part and maybe check the CERT links that get posted regularly: http://www.cert.org/tech_tips/intrud...checklist.html and http://www.cert.org/tech_tips/root_compromise.html.
 
Old 10-26-2011, 07:51 AM   #6
creatura85
LQ Newbie
 
Registered: Nov 2010
Location: Pitesti@Arges.Romania
Distribution: openSUSE
Posts: 15

Rep: Reputation: 0
I got this thing when chkrootkit did a system check in the morning(cron job). I have started chkrootkit again later on because i did not see the e-mail this morning and no infected port 600, nmap 127.0.0.1 and netstat -plant | grep 600 did not found a thing. Rkhunter is running he did not found nothing either; i suspect that a service used the port while chkrootkit was running (service not in whitelist) so if your did not receive this in any other day before the day it happened for the first time and of course you have a firewall (i have 2 ) then this is another false positive from chkrootkit. Personally on my box only port 80 and 28838 are opened... so its really weird in a certain way.

OS: openSUSE Tumbleweed (using openSUSE 11.4 as base) x86_64.

Last edited by unSpawn; 10-26-2011 at 07:23 PM. Reason: //Moderator says: please don't add non-critical information to stale threads. Closed.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Checking serial ports jwaters504 Linux - Hardware 1 09-17-2007 07:02 PM
chkrootkit suckit initng infected network 8% mimithebrain Linux - Security 4 03-29-2006 10:39 AM
chkrootkit found ifconfig infected ohcarol Linux - Security 4 02-28-2005 04:57 PM
465 Infected Ports. How reliable is chkroot? xbaez Linux - Security 1 01-12-2005 10:29 PM
chkrootkit problem (port 465 infected) myguest Linux - Security 1 09-30-2004 08:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:52 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration