FAQ   Search   Memberlist  
Profile    Log in to check your private messages    Register    Log in
rootkit detected

 
Post new topic   Reply to topic    BLAG Forum Index -> open discussion
View previous topic :: View next topic  
Author Message
hansencomputers
PostPosted: Tue Feb 19, 2008 5:03 am    Post subject: rootkit detected Reply with quote

Hi,
What to do if a rootkit is detected?

I ran chkrootkit and in the output that the process generated I found this entry:
Quote:

Checking `bindshell'... INFECTED (PORTS: 465)



So.......what does one do? What is this?

Mike

jebba
PostPosted: Tue Feb 19, 2008 5:38 am    Post subject: Reply with quote

chkrootkit is "over agressive" in that it will report anything it thinks is remotely dodgy. In other words, it very very very very very often reports false positives, so don't be too alarmed. That said, you should investigate what is listening on your ports in general. `netstat -pants` will give you clues (and other permutations of `netstat`)
john maclean
PostPosted: Tue Feb 19, 2008 2:51 pm    Post subject: Reply with quote

Code:
 grep 465 /etc/services
smtps           465/tcp                         # SMTP over SSL (TLS)
pipes           1465/tcp                        # Pipes Platform
pipes           1465/udp                        # Pipes Platform  mfarlin@peerlogic.com
lbm             2465/tcp                        # Load Balance Management
lbm             2465/udp                        # Load Balance Management
edm-mgr-cntrl   3465/tcp                        # EDM MGR Cntrl
edm-mgr-cntrl   3465/udp                        # EDM MGR Cntrl
playsta2-app    4658/tcp                        # PlayStation2 App Port
playsta2-app    4658/udp                        # PlayStation2 App Port
playsta2-lob    4659/tcp                        # PlayStation2 Lobby Port
playsta2-lob    4659/udp                        # PlayStation2 Lobby Port
netops-broker   5465/tcp                        # NETOPS-BROKER
netops-broker   5465/udp                        # NETOPS-BROKER

What emailer do you use?


_________________
BLAG 'em up!
hansencomputers
PostPosted: Wed Feb 20, 2008 12:24 am    Post subject: Reply with quote

Hi Guys,
I think this is resolved. I did some Google Searching and found that "exim" can cause a false positive. I checked and found I had installed exim. It has something to do with email. I mainly use Yahoo WEB mail, and Thunderbird with another POP3 account.

I removed exim, and re-ran the rootkit check. This time it came up clean.

I guess this was a false positive. Thanks for helping out. I'm glad I am still clean.

Mike

Display posts from previous:   
Post new topic   Reply to topic    BLAG Forum Index -> open discussion
Page 1 of 1

Protected by Anti-Spam ACP