[prev in list] [next in list] [prev in thread] [next in thread]
List: chkrootkit-users
Subject: Re: [crt-users] chkrootkit bindshell INFECTED?
From: "Hannu Kotipalo" <hannu.kotipalo () innokasmedical ! fi>
Date: 2003-02-10 14:13:49
[Download RAW message or body]
On 10 Feb 2003 at 14:44, Raul Saez wrote:
> LOOK rpc.statd
Not running.
On 10 Feb 2003 at 8:16, Mike Burger wrote:
> That depends...do you know what's listening on port 4369? If it's a
> program you installed and in which you are confident, you should be
> fine. But if you don't know what it is, you would do well to be
> concerned.
>
> For example, on one of my systems, I'm running portsentry. Chkrootkit
> comes back telling me that I have infected bindshell ports, but
> because I know that portsentry is running and listening on those ports
> for potential attacks, I know that I'm not actually infected.
>
Well, currently there should not be and there is nothing listening 4369. But during the
weekend, there were :-(
I'm not very good at shell scripts, but looks like chkrootkit just gets netstat -an and
grep the port numbers from the output. Is it possible that one of these lines
tcp 0 0 192.168.0.1:139 192.168.0.119:1027 ESTABLISHED
have had a port number 4369 as a destination address?
This is a samba connection to a windows box. Destination port number seems to be
quite randomized, could it be false detected as bindshell, if 4369 (or any of the
bindshell list) were used?
> On Mon, 10 Feb 2003, Hannu Kotipalo wrote:
>
> > Hi!
> >
> > I got following from weekend cron chkrootkit (v 0.36, now updated)
> > ------------------
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/perl5/5.6.0/i386-linux/.packlist
> > /usr/lib/perl5/site_perl/5.6.0/i386- linux/auto/Digest/MD5/.packlist
> >
> > Checking `bindshell'... INFECTED (PORTS: 4369)
> > Checking `sniffer'...
> > Checking `z2'...
> > --------------------------
> >
> > I think this is a false positive, really hope I'm right. Same result
> > from sat, sun and mon morning crontab entry, but not anymore on
> > manual run. Should I be worried? Looks like bindshell test just
> > greps a port list from netstat output. Doesn't it also detect local
> > smb connections that happens to be on one of those ports?
> >
> > System is behind a HW firewall.
> >
> > Oh, I'm still running portsentry (not much use after we got the HW
> > firewall)
> >
>
> --
> Mike Burger
> http://www.bubbanfriends.org
>
> Visit the Dog Pound II BBS
> telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
>
>
--
Hannu Kotipalo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic