--- Kevin wrote: > On Mon, 2005-10-24 at 10:23 -0700, Josh Coffman > wrote: > > I just installed rkhunter and chkrootkit and ran > them. > > chkrootkit gave me one infected message: > > > > Checking `bindshell'... INFECTED (PORTS: 4000) > > > > What can I do to find out more? I'm not sure if > this > > message really means I have a problem or just > > something I need to investigate. > > Google shows a lot of false alarms with chkrootkit > and tcp/udp ports 600 > and 4000. Seems the rpc.statd daemon is common > point of confusion for > that particular rootkit hunter. Are you using NFS > on this box? Are you > running rpc.statd? no NFS. > Here are some basic steps I would take: > > Check to see if that tcp or udp port is in LISTENING > mode. > #netstat -an | grep 4000 > > Check to see what might be using that port: > #lsof | grep 4000 > > Check to see if you can connect to it. If so, hit > return a couple of > times and see if you get a banner or shell prompt or > other clue: > # nc -vv localhost 4000 > # nc -vv -u localhost 4000 > # telnet localhost 4000 > > ...Kevin > found it. mlnet(mldonkey server) was running. Thanks. -j __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss