RE: Chkrootkit finds bindshell

From: Keith Bucher (kbucher_at_halomede.com)
Date: 08/23/05

  • Next message: Alexander Klimov: "Re: remote admin program that uses http encaspulation" 
    Date: Tue, 23 Aug 2005 08:29:09 -0700
To: phil@cryer.us

    > -------- Original Message --------
    > Subject: Chkrootkit finds bindshell
    > From: "Phil Cryer" <phil@cryer.us>
    > Date: Mon, August 22, 2005 7:58 am
    > To: security-basics@securityfocus.com
    >
    > On:
    >
    > [root@pepe /usr/local/www/data]# uname -a
    > FreeBSD pepe.cryer.us 6.0-CURRENT-SNAP004 FreeBSD 6.0-CURRENT-SNAP004 #0: Thu Jun 2 06:12:51 UTC 2005 root@wv1u.samsco.home:/usr/obj/usr/src/sys/GENERIC i386
    >
    > chkrootkit found:
    > Checking `bindshell'... INFECTED (PORTS: 465)
    >
    > Googling finds that it's often a 'false positive'. What is the concensus from this group? What should be done?
    >
    > P

    The bindshell check for chkrootkit simply checks to see if a specified
    port is listening, it does not determine whether the process listening
    on the port is legitimate or not. Use lsof or a similar utility to
    find what process is listening on port 465 and then determine whether
    it is legitimate or not (I've gotten this false positive from Exim
    listening on port 465 before.)

    Keith Bucher

  • Next message: Alexander Klimov: "Re: remote admin program that uses http encaspulation"

    Relevant Pages

    • False positive chkrootkit report for rpc.statd process as bindshell exploit
      ... I found several chkrootkit runs showing a ... possible bindshell exploit: ... This process requests an arbitrary port from the ...
      (Debian-User)
    • Re: Chkrootkit finds bindshell
      ... > The bindshell check for chkrootkit simply checks to see if a specified ... > port is listening, it does not determine whether the process listening ... > on the port is legitimate or not. ... > it is legitimate or not (I've gotten this false positive from Exim ...
      (Security-Basics)
    • Re: chkrootkit shows bindshell infected only with portsentry
      ... > I just installed the latest version of chkrootkit. ... It's not looking for damage *to* bindshell, ... Something is listening to those ports. ...
      (comp.os.linux.security)
    • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
      ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
      (comp.os.linux.security)
    • Re: chkrootkit infected ports 2881
      ... can re-image it for me which normally costs a fee. ... Chkrootkit is known to fall for quite a few false positive, for example if you run Portsentry or such anti-portscan demon, it also can detect legitimate services like dhcpd or such as sniffers, which isn't really incorrect but not a problem. ... Maybe the only way to know for sure would be scanning all traffic from another system regarding this port to see if anything suspicious can be spotted, and maybe running an integrity check with debsum or such on conf files, comparing the result with a backup from an earlier state or a known sane system. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
      (Debian-User)
    Loading