Re: chkrootkit: Checking `bindshell'... INFECTED (PORTS: 600)

From: Pigeon (jah.pigeon_at_ukonline.co.uk)
Date: 03/21/05

  • Next message: Pigeon: "Re: mount network drive in fstab?" 
    Date: Mon, 21 Mar 2005 18:38:09 +0000
To: debian-user@lists.debian.org

    On Sat, Mar 19, 2005 at 11:37:43PM +0100, Vincent Lefevre wrote:
    > On 2005-03-19 18:31:03 +0100, Matthijs wrote:
    > > On Sat, 19 Mar 2005 13:30:16 +0100, Vincent Lefevre
    > > <vincent@vinc17.org> wrote:
    > > > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    > > > rpc.statd 1696 root 5u IPv4 1909 UDP *:600
    > >
    > > On my system:
    > > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    > > mlnet 2065 mldonkey 27u IPv4 4827 TCP *:4000 (LISTEN)
    > >
    > > ... yes, I've got mldonkey running, might be on port 4000, but what's
    > > that got to do with bindshell? Should I worry?
    >
    > In my case, I don't even know why rpc.statd listens on port 600.

    Nor do I, but I do know that chkrootkit often gives false positives
    for bindshell. It does on one of my systems due to portsentry. Try
    cross-checking with rkhunter. 

    -- 
Pigeon
Be kind to pigeons
Get my GPG key here: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x21C61F7F



    -- 
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Pigeon: "Re: mount network drive in fstab?"

    Relevant Pages

    • Re: Output from chkrootkit
      ... >> I've reinstalled chkrootkit and its now pointing the finger at bindshell ... >> as infected, again port 600. ... COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ...
      (comp.os.linux.security)
    • Re: lsof
      ... COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME ... worry about. ... lsof is useful to find which process is listening at a port; we use it also to find removed huge file but still hold by a process,... ...
      (comp.sys.hp.hpux)