[prev in list] [next in list] [prev in thread] [next in thread] 

List:       chkrootkit-users
Subject:    [crt-users] infected port ???
From:       Matías_López_Bergero <mlopezb () udesa ! edu ! ar>
Date:       2004-11-29 15:43:01
Message-ID: 41AB4385.5090409 () udesa ! edu ! ar
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, I started seeing this message on Saturday.

INFECTED (PORTS:  600)

I run ./chkrootkit -q on RedHat 3ES, Linux 2.4.21 box.
I can see the port 600 with netstat,

# netstat -nap | grep 600
tcp        0      0 0.0.0.0:600             0.0.0.0:*
LISTEN      3812/rpc.rquotad
# ls -l /proc/3812/ | grep exe
lrwxrwxrwx    1 root     root            0 Nov 29 12:40 exe ->
/usr/sbin/rpc.rquotad*
# rpm -qf /usr/sbin/rpc.rquotad
quota-3.09-1
# rpm -V quota-3.09-1
#

No output on rpm -V query.

Could this be a false positive?

BR,
Matías

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBq0OFRB0HKLRQp/gRAtZjAJ4jCOJDRFg0IGXZOGbFhwJa4f/xawCfS+6H
K2bx4Ecdy3TTnMwFkljk7NI=
=c2zO
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]