rootkit: infected??? help
i think my web server might be compromised, but i'm not sure. chkrootkit says there's a packet sniffer on eth0:
eth0: PACKET SNIFFER(/sbin/dhclient[1963]) and when i just ran it again, i also get an infected message: Checking `bindshell'... INFECTED (PORTS: 1524) i don't want to panic just yet because the stuff i googled said the bindshell thing can be a false positive. the bad news is i'm not running portsentry or klaxon, so maybe it's a true positive. otoh, nothing seems to be affected: no weird log activity, nothing in the .bash_history files, no bandwidth issues. what steps should i take to make sure i'm okay? |
The first one is a normal false positive caused by the dhcp client. The second one, I would be worried about. Very worried.
|
i installed snort, and now that's showing up in the eth0 result as being packet sniffed too, so i think you're right about dhclient being an FP. and strangely, chkrootkit now doesn't return the warning for bindshell. so i think that must have also been an FP, but i'll keep my eye on it. thx
|
Both snort and dhclient show up as packet sniffers because, I believe, they force the interface into promiscuous mode. I do believe that recent versions of dhclient have this fixed, so upgrading that might at least reduce the false positives.
|
If you get another bindshell warning, try running nestat -pantu or lsof -i and see what process has the the socket open.
|
All times are GMT -5. The time now is 07:14 AM. |