rootkit: infected??? help
 

i think my web server might be compromised, but i'm not sure. chkrootkit says there's a packet sniffer on eth0:

eth0: PACKET SNIFFER(/sbin/dhclient[1963])

and when i just ran it again, i also get an infected message:

Checking `bindshell'... INFECTED (PORTS: 1524)

i don't want to panic just yet because the stuff i googled said the bindshell thing can be a false positive. the bad news is i'm not running portsentry or klaxon, so maybe it's a true positive. otoh, nothing seems to be affected: no weird log activity, nothing in the .bash_history files, no bandwidth issues.

what steps should i take to make sure i'm okay?

The first one is a normal false positive caused by the dhcp client. The second one, I would be worried about. Very worried.

i installed snort, and now that's showing up in the eth0 result as being packet sniffed too, so i think you're right about dhclient being an FP. and strangely, chkrootkit now doesn't return the warning for bindshell. so i think that must have also been an FP, but i'll keep my eye on it. thx

Both snort and dhclient show up as packet sniffers because, I believe, they force the interface into promiscuous mode. I do believe that recent versions of dhclient have this fixed, so upgrading that might at least reduce the false positives.

If you get another bindshell warning, try running nestat -pantu or lsof -i and see what process has the the socket open.