INFECTED?!

what could i do then!

thx in advance

You could check what is listening on that port with:
You could also use lsof to see which files are open for that socket. Are you getting any other warnings and have you cross-checked your results with rkhunter?

To add to that: Gileads advice of netstat plus lsof can help you see if that's a legitimate service running on port TCP/600 if you don't know that yourself. That is necessary because Chkrootkit only triggers on the port number itself. If you run a legitimate service then it's a false positive.

First of all, do a full port scan of your system:
nmap 127.0.0.1
After that do a netstat -plant | grep 600, look for the service/process listening on 600.
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries. You should check their md5sums and stuff. If they're infected, replace them with original copies.

That only makes sense if you suspect more problems than this single port. In general the idea of checking more makes sense, but even then using any other local port-listing tool would do IMHO.


That is good advice. It should be followed by something like "run your tests from a Live CD like KNOPPIX, HELIX or your distributions installation CDs in rescue mode (if possible) if you suspect tampering or don't trust results".


That is seriously ill advice, please don't! If binaries are subverted, then whole box is untrustworthy and should be handled as such. Patching things up and reinstalling some binaries like nothing happened before is not good. See the "run from CD" part and maybe check the CERT links that get posted regularly: http://www.cert.org/tech_tips/intrud...checklist.html and http://www.cert.org/tech_tips/root_compromise.html.

I got this thing when chkrootkit did a system check in the morning(cron job). I have started chkrootkit again later on because i did not see the e-mail this morning and no infected port 600, nmap 127.0.0.1 and netstat -plant | grep 600 did not found a thing. Rkhunter is running he did not found nothing either; i suspect that a service used the port while chkrootkit was running (service not in whitelist) so if your did not receive this in any other day before the day it happened for the first time and of course you have a firewall (i have 2 ) then this is another false positive from chkrootkit. Personally on my box only port 80 and 28838 are opened... so its really weird in a certain way.

OS: openSUSE Tumbleweed (using openSUSE 11.4 as base) x86_64.