Chkrootkit reports bindshell infected port 465
 

Today when I ran chkrootkit on my Linux Mint (MATE) laptop, I got this result, which didn't appear previously:


This infected result appears only when I establish an internet (WiFi) connection, while prior to that chkrootkit doesn't report anything. Rkhunter still doesn't report anything special or out of ordinary.

I searched the internet for this result and all I could find are false positives for people who have Cpanel installed or something similar. But I don't have CPanel installed - it's just a regular Mint MATE installation, and I am sure this infected result didn't appear until a few days ago (I run chkrootkit and rkhunter often). The only thing that I changed in the past several days is that I installed the SNAP package (snapd) and, using snap, I installed a couple of snap applications (somafm-qt and something else whose name I now forgot).

When I run this command:

grep 465 /etc/services

I get the following result:

and I don't know what it means.

Could somebody please help me to decipher this and whether I have a reason to be concerned about the possible infection?

I don't really think the services file will be of much help here. Can you run "lsof -Rpni :465" from the command line when you bring up a WiFi connection and see what happens?

After a few more times running chkrootkit, when I run it now, it doesn't report that infected result anymore. Today I uninstalled snap and its applications, but after that when I ran chkrootkit, it reported one more time that same infected result again. Now it doesn't report it anymore... so maybe it was some unimportant and benign glitch... I don't know.

Anyway, here is the result of the command you proposed:


Perhaps it gives the "illegal process ID" error because that process doesn't exist anymore? But I know it did exist, I wonder what application caused it earlier today and why it's gone now... hm, strange... I just hope it's not some rootkit virus again. :(

that means incorrect parameters, lsof did not run at all. Your version does not understand that -Rpni :465 (or you mistyped something).

I just copy/pasted what RickDeckard wrote in this thread (without the quotes). What should I type so that Rpni runs properly?

could it be i'm really just guessing here.

The output of that appears to be an empty line (no result at all - just gives a new prompt, as if I pressed only enter). I don't know what that means.

Yes!!! That's what I meant. My apologies.

Then you may have to be root in order to find the process that way. You can try again using sudo.

I'm hoping that if we find the name of the process we can locate it and then maybe either run some more analysis on it or totally get rid of it depending on what it says.

I just tried the same command with sudo and the result is again the same as it was without sudo (no result at all, as if I just pressed enter).


I want to point out that now when I run chkrootkit it does not report the same rootkit warning as it did earlier today.. this is what it now says under the bindshell item, even when I am connected to the internet:


I wonder how that process can switch on and off by itself? Now you see it, now you don't... strange.

Have you tried following the diagnostics used on https://benohead.com/chkrootkit-fals...cted-port-465/ ?

That's bad news for us to hear. If an open connection is being hidden from root itself, I have a lot of reason to suspect this isn't a false positive.

When I run the first command according to that procedure, I get an empty line as a result (as if I just pressed enter), so I am unable to proceed with the described procedure as there is no process to examine:


Since chkrootkit doesn't report the infected process anymore, is it possible that the problematic process actually doesn't exist anymore (rather than being hidden)? I did uninstall the snapd package (and its applications) yesterday, and that might have resolved the issue, although I remember that chkrootkit reported the infected process one more time after that, and then stopped reporting it.

As far as I remember, I had these packages installed using snapd:

https://snapcraft.io/odio
https://snapcraft.io/somafm-qt

Do these programs have any component that might have caused chkrootkit to report the issue with bindshell? The timing of the problem and when I installed these packages seem to have a correlation, but I'm not sure about the causation.

Please see my first reply to hydrurga from today. It seems to me that the problematic process doesn't exist anymore, although of course we can't be sure. Chkrootkit doesn't report it anymore, and Rkhunter never reported anything weird since it started happening yesterday.

Yesterday Mint shut down itself for a few seconds and then restarted itself (without going through the regular loading procedure with its logo screen), which of course is not a good sign, but I've seen it before and it might be a tech glitch rather than virus (in my opinion).

Rkhunter does report one suspicious file, and this has been an issue ever since I installed Mint MATE on this laptop. I explained that issue in detail in this thread some time ago.

Now when I run rkhunter the name of the suspicious file has changed a little, but it's still always reported:


In that forum thread you hypothesized that the file might have been created by Tomboy Notes or some other Mono application. I do have Tomboy notes installed but I never use it. Is it possible to determine accurately what application or process creates (and maintains) the mono.2058 file?

I have to emphasize that I am absolutely positive I had a rootkit virus on this laptop earlier this year. I experienced things such as all my passwords in chrome were deleted (not just in the chrome program but on google's servers as well), files from desktop were deleted or moved, and some textual files where I keep passwords were tampered with and edited. This problem would re-surface every time even though I would reinstall the whole system on a clean drive (I would clean it with the erase disk drive feature in Parted Magic, which was loaded from an USB stick).

This problem appears to have gone only when I updated my laptop BIOS about a month ago. I strongly suspect that it was a BIOS rootkit, because there's no other way to explain it. It was difficult to update the BIOS because, in their infinite wisdom, the manufacturer of my laptop (Lenovo) gives its users only one way to update the BIOS, and that is by using a Windows .exe application. So I had to install Windows just to update BIOS. But when I did that, at least those obvious virus/rootkit-related things such as passwords and files being deleted or moved finally stopped happening. The hidden mono file and these latest problems with bindshell that chkrootkit reported are disconcerting, but perhaps they have a different explanation, such as some snapd application that was able to cause a false positive...

Ah, that I don't know. I suppose, in the interests of discovery, you could always reinstall them and see what happens.

Good idea. I reinstalled snap and all the snap applications that I remember having a few days ago. When running chkrootkit out of maybe a dozen times, I got this problematic result twice (once yesterday and once today). Otherwise, chkrootkit doesn't report anything different than when snap is not installed. Rkhunter still doesn't report anything different than when snap is not installed.


EDITED:

RKhunter also reported a LKM trojan now.. but when I ran it again it didn't report it again



(bold letters added by me)

The packet sniffer is always reported (whether I have snap or not), and I assume it's a false positive. I don't know why this "possible LKM trojan" is sometimes reported now with snap installed... Should I be concerned?