hi all,

i've just ran chkrootkit and it gave me two points that i must consider reviesing ... they where as following:


Checking `bindshell'... INFECTED (PORTS: 465)

i've searched www.chkrootkit.org and i found this :


I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).


what do u say about this?? is it normal?
--------------------------------------------------------------------------------

second point is:

Searching for suspicious files and dirs, it may take a while...
path/to/perl5/5.6.0/i386-linux/.packlist

i found this on the site

chkrootkit is reporting some files and dirs as suspicious: `.packlist', `.cvsignore', etc. These are clearly false positives. Can't you ignore these?
Ignoring some files and dirs could impair chkrootkit's accuracy. An attacker might use this, since he knows that chkrootkit will ignore certain files and dirs



now am confused ... whay do u advise me?

thanks

Best thing is to check it out yourself. I'd first check out the tools match their signature, md5sum or sha1sum then run lsof -i or netstat -anp, trace the pid to the file, then inspect the file.
There's a way you'll never get notified again, basically breaking Chkrootkit, and that's to remove the "465" from line 202 in the script. A better way would be to extend chkrootkit to include a "backup test" once this rule get's triggered. Could be as simple as static matching app X with sha1sum Y at inode Z.

Some dotfiles get noticed. You can pipe the output from chkrootkit tru a shellscript, match each entry and if OK remove it from the final report.

These warnings are a Good Thing as they should make you realize not to use just one tool to verify your systems integrity. You should run Aide, Samhain or tripwire as well.

i figured out that smtps is using port 465 ... i will check for the file and see why it said it was infected ...

thanks

The *why* is easy. Chkrootkit doesn't crosscheck by verifying the file's contents like running "strings" on it. It just grabs "netstat -an" for wellknown ports. This part is the same thing like running Portsentry instead of Snort: you get the alert but you don't know if packets tripping it actually have malicious properties/payload.