Chkrootkit reports bindshell infected port 465
Today when I ran chkrootkit on my Linux Mint (MATE) laptop, I got this result, which didn't appear previously:
Code:
Checking `bindshell'... INFECTED PORTS: ( 465) This infected result appears only when I establish an internet (WiFi) connection, while prior to that chkrootkit doesn't report anything. Rkhunter still doesn't report anything special or out of ordinary. I searched the internet for this result and all I could find are false positives for people who have Cpanel installed or something similar. But I don't have CPanel installed - it's just a regular Mint MATE installation, and I am sure this infected result didn't appear until a few days ago (I run chkrootkit and rkhunter often). The only thing that I changed in the past several days is that I installed the SNAP package (snapd) and, using snap, I installed a couple of snap applications (somafm-qt and something else whose name I now forgot). When I run this command: grep 465 /etc/services I get the following result: Code:
bluelight@bluelight:~$ grep 465 /etc/services Could somebody please help me to decipher this and whether I have a reason to be concerned about the possible infection? |
I don't really think the services file will be of much help here. Can you run "lsof -Rpni :465" from the command line when you bring up a WiFi connection and see what happens?
|
After a few more times running chkrootkit, when I run it now, it doesn't report that infected result anymore. Today I uninstalled snap and its applications, but after that when I ran chkrootkit, it reported one more time that same infected result again. Now it doesn't report it anymore... so maybe it was some unimportant and benign glitch... I don't know.
Anyway, here is the result of the command you proposed: Code:
bluelight@bluelight:~$ lsof -Rpni :465 |
that means incorrect parameters, lsof did not run at all. Your version does not understand that -Rpni :465 (or you mistyped something).
|
Quote:
I just copy/pasted what RickDeckard wrote in this thread (without the quotes). What should I type so that Rpni runs properly? |
could it be
Code:
lsof -RPni :465 |
Quote:
The output of that appears to be an empty line (no result at all - just gives a new prompt, as if I pressed only enter). I don't know what that means. Code:
bluelight@bluelight:~$ lsof -RPni :465 |
Quote:
Quote:
I'm hoping that if we find the name of the process we can locate it and then maybe either run some more analysis on it or totally get rid of it depending on what it says. |
Quote:
I just tried the same command with sudo and the result is again the same as it was without sudo (no result at all, as if I just pressed enter). Code:
bluelight@bluelight:~$ sudo lsof -RPni :465 I want to point out that now when I run chkrootkit it does not report the same rootkit warning as it did earlier today.. this is what it now says under the bindshell item, even when I am connected to the internet: Code:
Checking `bindshell'... not infected |
Have you tried following the diagnostics used on https://benohead.com/chkrootkit-fals...cted-port-465/ ?
|
That's bad news for us to hear. If an open connection is being hidden from root itself, I have a lot of reason to suspect this isn't a false positive.
|
Quote:
Code:
bluelight@bluelight:~$ sudo netstat -pan | grep ":465 " As far as I remember, I had these packages installed using snapd: https://snapcraft.io/odio https://snapcraft.io/somafm-qt Do these programs have any component that might have caused chkrootkit to report the issue with bindshell? The timing of the problem and when I installed these packages seem to have a correlation, but I'm not sure about the causation. |
Quote:
Yesterday Mint shut down itself for a few seconds and then restarted itself (without going through the regular loading procedure with its logo screen), which of course is not a good sign, but I've seen it before and it might be a tech glitch rather than virus (in my opinion). Rkhunter does report one suspicious file, and this has been an issue ever since I installed Mint MATE on this laptop. I explained that issue in detail in this thread some time ago. Now when I run rkhunter the name of the suspicious file has changed a little, but it's still always reported: Code:
[09:55:38] Info: Starting test name 'filesystem' In that forum thread you hypothesized that the file might have been created by Tomboy Notes or some other Mono application. I do have Tomboy notes installed but I never use it. Is it possible to determine accurately what application or process creates (and maintains) the mono.2058 file? I have to emphasize that I am absolutely positive I had a rootkit virus on this laptop earlier this year. I experienced things such as all my passwords in chrome were deleted (not just in the chrome program but on google's servers as well), files from desktop were deleted or moved, and some textual files where I keep passwords were tampered with and edited. This problem would re-surface every time even though I would reinstall the whole system on a clean drive (I would clean it with the erase disk drive feature in Parted Magic, which was loaded from an USB stick). This problem appears to have gone only when I updated my laptop BIOS about a month ago. I strongly suspect that it was a BIOS rootkit, because there's no other way to explain it. It was difficult to update the BIOS because, in their infinite wisdom, the manufacturer of my laptop (Lenovo) gives its users only one way to update the BIOS, and that is by using a Windows .exe application. So I had to install Windows just to update BIOS. But when I did that, at least those obvious virus/rootkit-related things such as passwords and files being deleted or moved finally stopped happening. The hidden mono file and these latest problems with bindshell that chkrootkit reported are disconcerting, but perhaps they have a different explanation, such as some snapd application that was able to cause a false positive... |
Quote:
|
Quote:
Good idea. I reinstalled snap and all the snap applications that I remember having a few days ago. When running chkrootkit out of maybe a dozen times, I got this problematic result twice (once yesterday and once today). Otherwise, chkrootkit doesn't report anything different than when snap is not installed. Rkhunter still doesn't report anything different than when snap is not installed. EDITED: RKhunter also reported a LKM trojan now.. but when I ran it again it didn't report it again Code:
Checking `bindshell'... not infected The packet sniffer is always reported (whether I have snap or not), and I assume it's a false positive. I don't know why this "possible LKM trojan" is sometimes reported now with snap installed... Should I be concerned? |
For LKM, see https://askubuntu.com/questions/5878...ble-klm-trojan
Yes, the packet sniffer is a false positive. |
Quote:
Rkhunter reported the LKM trojan as well a few minutes ago, but now when I run it again it doesn't report it anymore. Is that a cause for concern? How can I determine the exact process and application that chkrootkit thought was suspicious? When I type "./chkproc -v" it says "bash: ./chkproc: No such file or directory". |
Quote:
You have to be in the chkrootkit directory (where you installed chkrootkit) for that command to work. When I run it, it lists quite a number of processes though so I don't know how useful it will be for you. Some general reading: https://www.dedoimedo.com/computers/...m-warning.html |
Ok, I got something concrete this time. :)
This is the output of chkproc: Code:
bluelight@bluelight:/usr/lib/chkrootkit$ ./chkproc -v Code:
bluelight@bluelight:/proc/21961$ cd /proc/21961/ && cat cmdline So I suppose there's not much cause for concern. I wonder why chkrootkit is more likely to report that alarm when snap is installed, though. Thanks a lot, man. I really appreciate the help on this forum from everyone. |
Quote:
nevertheless, it could be communicating with soma.fm somehow. odio - not so much. i could not find the sourcecode anywhere. it could be doing all kinds of datamining on your system and transmitting that to the maintainer. additionally, i do not really trust snappy, who knows in what ways it phones home. |
Quote:
|
Quote:
I forgot to mention yesterday that I also had Opentyrian installled via snap. https://snapcraft.io/opentyrian I've now uninstalled snapd (sudo apt remove snapd), but not every one of its individual applications. Chkrootkit doesn't report LKM trojan for the time being. |
i don't understand ubuntu's obsession with snappy.
opentyrian is available in the repos of both major distributions i am using, one of them debian - so very likely also in ubuntu's repos.:scratch: Quote:
|
All times are GMT -5. The time now is 04:54 PM. |