[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    [crt-users] chkrootkit bindshell INFECTED?
From:       "Hannu Kotipalo" <hannu.kotipalo () innokasmedical ! fi>
Date:       2003-02-10 8:04:27
[Download RAW message or body]

Hi!

 I got following from weekend cron chkrootkit (v 0.36, now updated)
------------------
Searching for suspicious files and dirs, it may take a while... 
/usr/lib/perl5/5.6.0/i386-linux/.packlist /usr/lib/perl5/site_perl/5.6.0/i386-
linux/auto/Digest/MD5/.packlist

Checking `bindshell'... INFECTED (PORTS:  4369)
Checking `sniffer'... 
Checking `z2'... 
--------------------------

I think this is a false positive, really hope I'm right. Same result from sat, sun and mon  
morning crontab entry, but not anymore on manual run. Should I be worried?
Looks like bindshell test just greps a port list from netstat output. Doesn't it also 
detect local smb connections that happens to be on one of those ports?

System is behind a HW firewall.

Oh, I'm still running portsentry (not much use after we got the HW firewall)
-- 
Hannu Kotipalo


[prev in list] [next in list] [prev in thread] [next in thread]