chkrootkit indicates infection

Josh Coffman josh_coffman at yahoo.com
Mon Oct 24 12:04:02 MST 2005



--- Kevin <plug-discuss at firstpacket.com> wrote:

> On Mon, 2005-10-24 at 10:23 -0700, Josh Coffman
> wrote:
> > I just installed rkhunter and chkrootkit and ran
> them.
> > chkrootkit gave me one infected message:
> > 
> > Checking `bindshell'... INFECTED (PORTS:  4000)
> > 
> > What can I do to find out more? I'm not sure if
> this
> > message really means I have a problem or just
> > something I need to investigate.
> 
> Google shows a lot of false alarms with chkrootkit
> and tcp/udp ports 600
> and 4000.  Seems the rpc.statd daemon is common
> point of confusion for
> that particular rootkit hunter.  Are you using NFS
> on this box?  Are you
> running rpc.statd?

no NFS.

> Here are some basic steps I would take:
> 
> Check to see if that tcp or udp port is in LISTENING
> mode.
> #netstat -an | grep 4000
> 
> Check to see what might be using that port:
> #lsof | grep 4000
> 
> Check to see if you can connect to it.  If so, hit
> return a couple of
> times and see if you get a banner or shell prompt or
> other clue:
> # nc -vv localhost 4000
> # nc -vv -u localhost 4000
> # telnet localhost 4000
> 
> ...Kevin
> 
found it. mlnet(mldonkey server) was running. Thanks.

-j



		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


More information about the PLUG-discuss mailing list