Re: Chkrootkit finds bindshell

["Esteban B." <esteban.borges () gmail com>]

HI,

If you're running PortSentry/klaxon or another program that binds
itself to unused ports probably chkrootkit will give you a false
positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp,
1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp,
12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp,
45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

http://www.chkrootkit.org/faq/#7

see ya!


2005/8/23, Keith Bucher <kbucher () halomede com>:
> > -------- Original Message --------
> > Subject: Chkrootkit finds bindshell
> > From: "Phil Cryer" <phil () cryer us>
> > Date: Mon, August 22, 2005 7:58 am
> > To: security-basics () securityfocus com
> >
> > On:
> >
> > [root@pepe /usr/local/www/data]# uname -a
> > FreeBSD pepe.cryer.us 6.0-CURRENT-SNAP004 FreeBSD 6.0-CURRENT-SNAP004 #0: Thu Jun  2 06:12:51 UTC 2005     root () 
> > wv1u samsco home:/usr/obj/usr/src/sys/GENERIC  i386
> >
> > chkrootkit found:
> > Checking `bindshell'... INFECTED (PORTS:  465)
> >
> > Googling finds that it's often a 'false positive'.  What is the concensus from this group?  What should be done?
> >
> > P
>
> The bindshell check for chkrootkit simply checks to see if a specified
> port is listening, it does not determine whether the process listening
> on the port is legitimate or not.  Use lsof or a similar utility to
> find what process is listening on port 465 and then determine whether
> it is legitimate or not (I've gotten this false positive from Exim
> listening on port 465 before.)
>
> Keith Bucher