Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You could check what is listening on that port with:
Code:
netstat -pane | grep 600
You could also use lsof to see which files are open for that socket. Are you getting any other warnings and have you cross-checked your results with rkhunter?
To add to that: Gileads advice of netstat plus lsof can help you see if that's a legitimate service running on port TCP/600 if you don't know that yourself. That is necessary because Chkrootkit only triggers on the port number itself. If you run a legitimate service then it's a false positive.
First of all, do a full port scan of your system: nmap 127.0.0.1
After that do a netstat -plant | grep 600, look for the service/process listening on 600.
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries. You should check their md5sums and stuff. If they're infected, replace them with original copies.
First of all, do a full port scan of your system: nmap 127.0.0.1
That only makes sense if you suspect more problems than this single port. In general the idea of checking more makes sense, but even then using any other local port-listing tool would do IMHO.
Quote:
Originally Posted by simonapnic
It should be noted that in order to bind to a port <1024 you need uid 0 (root) privilleges, so if the attacker has such privilleges, he might've infected netstat and other binaries.
That is good advice. It should be followed by something like "run your tests from a Live CD like KNOPPIX, HELIX or your distributions installation CDs in rescue mode (if possible) if you suspect tampering or don't trust results".
Quote:
Originally Posted by simonapnic
You should check their md5sums and stuff. If they're infected, replace them with original copies.
That is seriously ill advice, please don't! If binaries are subverted, then whole box is untrustworthy and should be handled as such. Patching things up and reinstalling some binaries like nothing happened before is not good. See the "run from CD" part and maybe check the CERT links that get posted regularly: http://www.cert.org/tech_tips/intrud...checklist.html and http://www.cert.org/tech_tips/root_compromise.html.
I got this thing when chkrootkit did a system check in the morning(cron job). I have started chkrootkit again later on because i did not see the e-mail this morning and no infected port 600, nmap 127.0.0.1 and netstat -plant | grep 600 did not found a thing. Rkhunter is running he did not found nothing either; i suspect that a service used the port while chkrootkit was running (service not in whitelist) so if your did not receive this in any other day before the day it happened for the first time and of course you have a firewall (i have 2 ) then this is another false positive from chkrootkit. Personally on my box only port 80 and 28838 are opened... so its really weird in a certain way.
OS: openSUSE Tumbleweed (using openSUSE 11.4 as base) x86_64.
Last edited by unSpawn; 10-26-2011 at 06:23 PM.
Reason: //Moderator says: please don't add non-critical information to stale threads. Closed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.