chkrootkit indicates infection
Josh Coffman
josh_coffman at yahoo.com
Mon Oct 24 12:04:02 MST 2005
--- Kevin <plug-discuss at firstpacket.com> wrote:
> On Mon, 2005-10-24 at 10:23 -0700, Josh Coffman
> wrote:
> > I just installed rkhunter and chkrootkit and ran
> them.
> > chkrootkit gave me one infected message:
> >
> > Checking `bindshell'... INFECTED (PORTS: 4000)
> >
> > What can I do to find out more? I'm not sure if
> this
> > message really means I have a problem or just
> > something I need to investigate.
>
> Google shows a lot of false alarms with chkrootkit
> and tcp/udp ports 600
> and 4000. Seems the rpc.statd daemon is common
> point of confusion for
> that particular rootkit hunter. Are you using NFS
> on this box? Are you
> running rpc.statd?
no NFS.
> Here are some basic steps I would take:
>
> Check to see if that tcp or udp port is in LISTENING
> mode.
> #netstat -an | grep 4000
>
> Check to see what might be using that port:
> #lsof | grep 4000
>
> Check to see if you can connect to it. If so, hit
> return a couple of
> times and see if you get a banner or shell prompt or
> other clue:
> # nc -vv localhost 4000
> # nc -vv -u localhost 4000
> # telnet localhost 4000
>
> ...Kevin
>
found it. mlnet(mldonkey server) was running. Thanks.
-j
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com
More information about the PLUG-discuss
mailing list