BLAG

BLAG Forums
It is currently Fri Dec 19, 2014 1:04 pm

All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: rootkit detected
PostPosted: Tue Feb 19, 2008 5:03 am 
Offline

Joined: Sun Mar 25, 2007 11:33 am
Posts: 240
Location: Great Lakes
Hi,
What to do if a rootkit is detected?

I ran chkrootkit and in the output that the process generated I found this entry:
Quote:
Checking `bindshell'... INFECTED (PORTS: 465)



So.......what does one do? What is this?

Mike


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 19, 2008 5:38 am 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
chkrootkit is "over agressive" in that it will report anything it thinks is remotely dodgy. In other words, it very very very very very often reports false positives, so don't be too alarmed. That said, you should investigate what is listening on your ports in general. `netstat -pants` will give you clues (and other permutations of `netstat`)


Top
 Profile  
 
 Post subject:
PostPosted: Tue Feb 19, 2008 2:51 pm 
Offline
Site Admin

Joined: Wed Mar 17, 2004 6:17 pm
Posts: 1340
Location: London, UK
Code:
 grep 465 /etc/services
smtps           465/tcp                         # SMTP over SSL (TLS)
pipes           1465/tcp                        # Pipes Platform
pipes           1465/udp                        # Pipes Platform  mfarlin@peerlogic.com
lbm             2465/tcp                        # Load Balance Management
lbm             2465/udp                        # Load Balance Management
edm-mgr-cntrl   3465/tcp                        # EDM MGR Cntrl
edm-mgr-cntrl   3465/udp                        # EDM MGR Cntrl
playsta2-app    4658/tcp                        # PlayStation2 App Port
playsta2-app    4658/udp                        # PlayStation2 App Port
playsta2-lob    4659/tcp                        # PlayStation2 Lobby Port
playsta2-lob    4659/udp                        # PlayStation2 Lobby Port
netops-broker   5465/tcp                        # NETOPS-BROKER
netops-broker   5465/udp                        # NETOPS-BROKER

What emailer do you use?

_________________
BLAG 'em up!


Top
 Profile  
 
 Post subject:
PostPosted: Wed Feb 20, 2008 12:24 am 
Offline

Joined: Sun Mar 25, 2007 11:33 am
Posts: 240
Location: Great Lakes
Hi Guys,
I think this is resolved. I did some Google Searching and found that "exim" can cause a false positive. I checked and found I had installed exim. It has something to do with email. I mainly use Yahoo WEB mail, and Thunderbird with another POP3 account.

I removed exim, and re-ran the rootkit check. This time it came up clean.

I guess this was a false positive. Thanks for helping out. I'm glad I am still clean.

Mike


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group