Re: chkrootkit BINDSHELL infected !?

From:
Date: 07/02/02 

Date: Tue, 02 Jul 2002 15:11:53 GMT

I don't have nmap on the machine that's getting this message. However doing
it from a remote machine I'm getting tem as closed. What should I do next?

Also, if on the local machine the firewall has blocked these 2 ports then
how could it be of any use to a hacker anyways?

"Nicolas Couture" <nc@stormvault.net> wrote in message
news:DoaU8.22426$w54.629750@weber.videotron.net...
> On Monday 01 July 2002 11:48 pm Jose <joserodriguez@hotmail.com> wrote in
> <Co9U8.8784$FG5.719297@newsread2.prod.itd.earthlink.net>:
>
> > I keep on getting this with one of my servers running chkrootkit:
> >
> > Checking `bindshell'... INFECTED (PORTS: 1524 4369)
> >
> > Now I'd like to confirm whether it's truly infected or not. I've done a
> > nmap to this box and these 2 ports don't seem to be responding at all.
> > However, perhaps I might be doing it wrong. I've tried nmap -sT 1.1.1.1
> > and namp -sU 1.1.1.1 (suppose 1.1.1.1 is the server's IP address) from
> > another computer and nothing seems to be showing up.
> >
> > Also are there other ways to find out if I'm infected or not?
> >
> > Help?
>
> You should consider trying a nmap -sS -vv -P0 -p 1524,4369 localhost
> as if your firewall is blocking it remotely it'll probably not block it
> on your loop device which is 127.x.x.x.
>
> If these ports are now opened you should then consider mv chkrootkit
> /dev/null.
>
> Nicolas
> --
> PGP Key 0x3C6C07FD aviable at http://www.keyserver.net/
>

Relevant Pages

  • Re: AW: Re: nmap -sS SYN-SCAN does not find all open Ports?
    ... Network Security Engineer and Analyst ... that there is actually no problem with nmap. ... ports that are not listed by nmap are in state closed. ... Could it somehow be related to my backend firewall? ...
    (Security-Basics)
  • Re: Nmap questions for the experts
    ... nmap has its own mailing lists, you can find those on insecure.org. ... Do you really use nmap before running nessus? ... Only open ports will be fed to ...
    (Security-Basics)
  • Re: Is my home computer at risk knowing that nmap says...
    ... Arizona) and saw that his firewall was DROPing connections to unused ... ports - including two ports that nmap scans by default. ... you responded to shows a reasonable response based on a minimal test ...
    (comp.os.linux.security)
  • Re: Is my home computer at risk knowing that nmap says...
    ... Arizona) and saw that his firewall was DROPing connections to unused ... ports - including two ports that nmap scans by default. ... you responded to shows a reasonable response based on a minimal test ...
    (comp.os.linux.security)
  • Re: failed shields up test
    ... probing application like nmap on this laptop, and probe my firewall. ... This allows me to use ANY protocols, any ports, or IP addresses without ... worrying about what the ISP may think. ...
    (alt.os.linux.suse)