[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    Re: [crt-users] chkrootkit bindshell INFECTED?
From:       "Hannu Kotipalo" <hannu.kotipalo () innokasmedical ! fi>
Date:       2003-02-10 14:13:49
[Download RAW message or body]

On 10 Feb 2003 at 14:44, Raul Saez wrote:

> LOOK rpc.statd

Not running.

On 10 Feb 2003 at 8:16, Mike Burger wrote:

> That depends...do you know what's listening on port 4369?  If it's a
> program you installed and in which you are confident, you should be
> fine.  But if you don't know what it is, you would do well to be
> concerned.
> 
> For example, on one of my systems, I'm running portsentry.  Chkrootkit
> comes back telling me that I have infected bindshell ports, but
> because I know that portsentry is running and listening on those ports
> for potential attacks, I know that I'm not actually infected.
> 

Well, currently there should not be and there is nothing listening 4369. But during the 
weekend, there were :-(

I'm not very good at shell scripts, but looks like chkrootkit just gets netstat -an and 
grep the port numbers from the output. Is it possible that one of these lines
tcp        0      0 192.168.0.1:139         192.168.0.119:1027      ESTABLISHED 
have had a port number 4369 as a destination address?

This is a samba connection to a windows box. Destination port number seems to be 
quite randomized, could it be false detected as bindshell, if 4369 (or any of the  
bindshell list) were used?

> On Mon, 10 Feb 2003, Hannu Kotipalo wrote:
> 
> > Hi!
> > 
> >  I got following from weekend cron chkrootkit (v 0.36, now updated)
> > ------------------
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/perl5/5.6.0/i386-linux/.packlist
> > /usr/lib/perl5/site_perl/5.6.0/i386- linux/auto/Digest/MD5/.packlist
> > 
> > Checking `bindshell'... INFECTED (PORTS:  4369)
> > Checking `sniffer'... 
> > Checking `z2'... 
> > --------------------------
> > 
> > I think this is a false positive, really hope I'm right. Same result
> > from sat, sun and mon  morning crontab entry, but not anymore on
> > manual run. Should I be worried? Looks like bindshell test just
> > greps a port list from netstat output. Doesn't it also detect local
> > smb connections that happens to be on one of those ports?
> > 
> > System is behind a HW firewall.
> > 
> > Oh, I'm still running portsentry (not much use after we got the HW
> > firewall)
> > 
> 
> -- 
> Mike Burger
> http://www.bubbanfriends.org
> 
> Visit the Dog Pound II BBS
> telnet://dogpound2.citadel.org or http://dogpound2.citadel.org:2000
> 
> 


-- 
Hannu Kotipalo


[prev in list] [next in list] [prev in thread] [next in thread]