chkrootkit indicates infection

Kevin plug-discuss at firstpacket.com
Mon Oct 24 10:45:02 MST 2005


On Mon, 2005-10-24 at 10:23 -0700, Josh Coffman wrote:
> I just installed rkhunter and chkrootkit and ran them.
> chkrootkit gave me one infected message:
> 
> Checking `bindshell'... INFECTED (PORTS:  4000)
> 
> What can I do to find out more? I'm not sure if this
> message really means I have a problem or just
> something I need to investigate.

Google shows a lot of false alarms with chkrootkit and tcp/udp ports 600
and 4000.  Seems the rpc.statd daemon is common point of confusion for
that particular rootkit hunter.  Are you using NFS on this box?  Are you
running rpc.statd?

Here are some basic steps I would take:

Check to see if that tcp or udp port is in LISTENING mode.
#netstat -an | grep 4000

Check to see what might be using that port:
#lsof | grep 4000

Check to see if you can connect to it.  If so, hit return a couple of
times and see if you get a banner or shell prompt or other clue:
# nc -vv localhost 4000
# nc -vv -u localhost 4000
# telnet localhost 4000

...Kevin






More information about the PLUG-discuss mailing list