Re: chkrootkit V. 0.47



On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote:
On Tuesday 20 November 2007 16:41:52 JP wrote:
Running freeBSD 6.1

After changing chkrootkit to the latest version V. 0.47 and compiling it
then running it I get the following:
[snip]
Checking `bindshell'... INFECTED (PORTS: 6667)
[snip]

I do run an IRCd...

Such tools is known to trigger false positives sometimes. I'd recommend to
play with some additional utilities like lsof. In case of bindshell try to
find processes that was executed from world writable directories such
as /tmp. Try to shutdown httpd and other daemons and see if any of them
still running.

The bindshell is most probably a false positive - chkrootkit just
checks if anything is listening on "unusual" ports. Since 6667 is
one of the most often used well-known ports for IRC communication,
this is most probably a false positive.

G'luck,
Peter

--
Peter Pentchev roam@xxxxxxxxxxx roam@xxxxxxxx roam@xxxxxxxxxxx
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just finished reading.

Attachment: pgp66wOVPCZmX.pgp
Description: PGP signature