Security Basics mailing list archives

RE: Chkrootkit finds bindshell

From: Keith Bucher <kbucher () halomede com>
Date: Tue, 23 Aug 2005 08:29:09 -0700

-------- Original Message --------
Subject: Chkrootkit finds bindshell
From: "Phil Cryer" <phil () cryer us>
Date: Mon, August 22, 2005 7:58 am
To: security-basics () securityfocus com

On:

[root@pepe /usr/local/www/data]# uname -a
FreeBSD pepe.cryer.us 6.0-CURRENT-SNAP004 FreeBSD 6.0-CURRENT-SNAP004 #0: Thu Jun  2 06:12:51 UTC 2005     root () 
wv1u samsco home:/usr/obj/usr/src/sys/GENERIC  i386

chkrootkit found:
Checking `bindshell'... INFECTED (PORTS:  465)

Googling finds that it's often a 'false positive'.  What is the concensus from this group?  What should be done?

P


The bindshell check for chkrootkit simply checks to see if a specified
port is listening, it does not determine whether the process listening
on the port is legitimate or not.  Use lsof or a similar utility to
find what process is listening on port 465 and then determine whether
it is legitimate or not (I've gotten this false positive from Exim
listening on port 465 before.)

Keith Bucher

Current thread:

Chkrootkit finds bindshell Phil Cryer (Aug 23)
- <Possible follow-ups>
- RE: Chkrootkit finds bindshell Keith Bucher (Aug 23)
  - Re: Chkrootkit finds bindshell Esteban B. (Aug 24)
- Re: Chkrootkit finds bindshell Phil Cryer (Aug 23)