hi all,
i've just ran chkrootkit and it gave me two points that i must consider reviesing ... they where as following:
Checking `bindshell'... INFECTED (PORTS: 465)
i've searched
www.chkrootkit.org and i found this :
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
what do u say about this?? is it normal?
--------------------------------------------------------------------------------
second point is:
Searching for suspicious files and dirs, it may take a while...
path/to/perl5/5.6.0/i386-linux/.packlist
i found this on the site
chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?
Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs
now am confused ... whay do u advise me?
thanks