Security Basics mailing list archives
Re: Chkrootkit finds bindshell
From: "Esteban B." <esteban.borges () gmail com>
Date: Tue, 23 Aug 2005 15:16:56 -0300
HI, If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). http://www.chkrootkit.org/faq/#7 see ya! 2005/8/23, Keith Bucher <kbucher () halomede com>:
-------- Original Message -------- Subject: Chkrootkit finds bindshell From: "Phil Cryer" <phil () cryer us> Date: Mon, August 22, 2005 7:58 am To: security-basics () securityfocus com On: [root@pepe /usr/local/www/data]# uname -a FreeBSD pepe.cryer.us 6.0-CURRENT-SNAP004 FreeBSD 6.0-CURRENT-SNAP004 #0: Thu Jun 2 06:12:51 UTC 2005 root () wv1u samsco home:/usr/obj/usr/src/sys/GENERIC i386 chkrootkit found: Checking `bindshell'... INFECTED (PORTS: 465) Googling finds that it's often a 'false positive'. What is the concensus from this group? What should be done? PThe bindshell check for chkrootkit simply checks to see if a specified port is listening, it does not determine whether the process listening on the port is legitimate or not. Use lsof or a similar utility to find what process is listening on port 465 and then determine whether it is legitimate or not (I've gotten this false positive from Exim listening on port 465 before.) Keith Bucher
Current thread:
- Chkrootkit finds bindshell Phil Cryer (Aug 23)
- <Possible follow-ups>
- RE: Chkrootkit finds bindshell Keith Bucher (Aug 23)
- Re: Chkrootkit finds bindshell Esteban B. (Aug 24)
- Re: Chkrootkit finds bindshell Phil Cryer (Aug 23)