Re: chkrootkit - possible bad news`

To: debian-security@lists.debian.org
Subject: Re: chkrootkit - possible bad news`
From: Jim Richardson <warlock@eskimo.com>
Date: Tue, 24 Feb 2004 11:31:32 -0800
Message-id: <[🔎] kdlsg1-nvv.ln1@grendel.myth>
References: <[🔎] 20040223194839.GB2850@sven.home.hoaxter.de> <[🔎] 000301c3faa2$f34bc160$64b5a8c0@NOVA>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 24 Feb 2004 14:32:26 +0100,
 Greg <greg@meatplow.com> wrote:
> I am running Debian on a Dec Alpha PC164.
>
> I decided to run chkrootkit and was surprised by the following line.
>
> Checking `bindshell'... INFECTED (PORTS:  1524 31337)
>
> I am not sure how no interpret this.  I have checked logs, as well as binary
> checks and everything "seems" fine.  Can someone help me interpret the logs.
> I will attach them at the tail of the email in case the may be helpful.
>
>
> I don't know what my next step would be.  If in deed I have been 'rooted'
> then I should obviously format and rebuild the server.


Are you running portsentry? if you are, shut it off, and rerun
chkrootkit.

If not, nmap the box from outside, and see if there is something
listening on those ports, if there is, but netstat shows nothing there,
then you've probably been cracked, and you know what to do.  


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAO6aUd90bcYOAWPYRAquCAKDfxWteagmgU8Qi4qDoY7TrMsPvPwCfQ8oA
vfluFUl7UE5kvbbeT6XCVYU=
=lM19
-----END PGP SIGNATURE-----

-- 
Jim Richardson     http://www.eskimo.com/~warlock
Life imitates art, but does it have to imitate satire?

Reply to:

References:
- Re: 2.2 Kernel Fix
  - From: Sven Hoexter <sven@timegate.de>
- chkrootkit - possible bad news`
  - From: "Greg" <greg@meatplow.com>

Prev by Date: Re: chkrootkit - possible bad news`
Next by Date: Dsniff/mailsnarf
Previous by thread: Re: chkrootkit - possible bad news`
Next by thread: Re: [SECURITY] [DSA 443-1] New xfree86 packages fix multiple vulnerabilities
Index(es):
- Date
- Thread