|
| View previous topic :: View next topic |
| Author |
Message |
hansencomputers
|
 Posted: Tue Feb 19, 2008 5:03 am Post subject: rootkit detected |
 |
|
Hi,
What to do if a rootkit is detected?
I ran chkrootkit and in the output that the process generated I found this entry:
| Quote: |
Checking `bindshell'... INFECTED (PORTS: 465) |
So.......what does one do? What is this?
Mike
|
|
|
 |
jebba
|
| Posted: Tue Feb 19, 2008 5:38 am Post subject: |
|
|
chkrootkit is "over agressive" in that it will report anything it thinks is remotely dodgy. In other words, it very very very very very often reports false positives, so don't be too alarmed. That said, you should investigate what is listening on your ports in general. `netstat -pants` will give you clues (and other permutations of `netstat`)
|
|
|
|
john maclean
|
| Posted: Tue Feb 19, 2008 2:51 pm Post subject: |
|
|
| Code: | grep 465 /etc/services
smtps 465/tcp # SMTP over SSL (TLS)
pipes 1465/tcp # Pipes Platform
pipes 1465/udp # Pipes Platform mfarlin@peerlogic.com
lbm 2465/tcp # Load Balance Management
lbm 2465/udp # Load Balance Management
edm-mgr-cntrl 3465/tcp # EDM MGR Cntrl
edm-mgr-cntrl 3465/udp # EDM MGR Cntrl
playsta2-app 4658/tcp # PlayStation2 App Port
playsta2-app 4658/udp # PlayStation2 App Port
playsta2-lob 4659/tcp # PlayStation2 Lobby Port
playsta2-lob 4659/udp # PlayStation2 Lobby Port
netops-broker 5465/tcp # NETOPS-BROKER
netops-broker 5465/udp # NETOPS-BROKER |
What emailer do you use?
|
_________________
BLAG 'em up! |
|
|
hansencomputers
|
| Posted: Wed Feb 20, 2008 12:24 am Post subject: |
|
|
Hi Guys,
I think this is resolved. I did some Google Searching and found that "exim" can cause a false positive. I checked and found I had installed exim. It has something to do with email. I mainly use Yahoo WEB mail, and Thunderbird with another POP3 account.
I removed exim, and re-ran the rootkit check. This time it came up clean.
I guess this was a false positive. Thanks for helping out. I'm glad I am still clean.
Mike
|
|
|
|
|
|
|
