Chkrootkit e risultati
Salve a tutti,
sul mio serverino casalingo (sarge) oggi ho eseguito chkrootkit e mi son
ritrovato con questo risultato:
Checking `bindshell'... INFECTED (PORTS: 4000)
Nmap mi dice che sono aperte queste porte:
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
139/tcp open netbios-ssn
445/tcp open microsoft-ds
601/tcp open unknown
604/tcp open unknown
901/tcp open samba-swat
1214/tcp open fasttrack
2000/tcp open callbook
2049/tcp open nfs
4000/tcp open remoteanything
6346/tcp open gnutella
9999/tcp open abyss
Mentre per ps ax girano questi processi:
1 ? S 0:04 init [2]
2 ? SN 0:00 [ksoftirqd/0]
3 ? S< 0:00 [events/0]
4 ? S< 0:00 [khelper]
21 ? S< 1:28 [kblockd/0]
45 ? S< 0:00 [aio/0]
44 ? S 12:21 [kswapd0]
187 ? S 0:00 [kseriod]
293 ? D< 0:21 [reiserfs/0]
764 ? S 0:00 [khubd]
1449 ? Ss 0:00 /sbin/portmap
1603 ? Ss 0:15 /sbin/syslogd
1606 ? Ss 0:00 /sbin/klogd
1659 ? Ss 0:00 /usr/sbin/inetd
1691 ? Ss 0:00 /sbin/rpc.statd
1694 ? Ss 30:16 /usr/sbin/rpc.nfsd
1696 ? S 0:03 /usr/sbin/rpc.mountd
1699 ? Ss 0:00 /usr/sbin/atd
1702 ? Ss 0:02 /usr/sbin/cron
1759 tty1 Ss+ 0:00 /sbin/getty 38400 tty1
1765 tty2 Ss+ 0:00 /sbin/getty 38400 tty2
1766 tty3 Ss+ 0:00 /sbin/getty 38400 tty3
1767 tty4 Ss+ 0:00 /sbin/getty 38400 tty4
1768 tty5 Ss+ 0:00 /sbin/getty 38400 tty5
1814 tty6 Ss+ 0:00 /sbin/getty 38400 tty6
2818 ? Ss 0:00 /usr/sbin/sshd
5153 ? Ss 0:00 /usr/bin/freepopsd -n -b 192.168.0.1
578 ? D 242:44 ./mlnet
579 ? S 0:02 ./mlnet
580 ? SN 0:01 ./mlnet
1213 ? SN 4:51 ./mlnet
19771 ? Ss 0:26 /usr/sbin/nmbd -D
19772 ? Ss 0:00 /usr/sbin/smbd -D
19773 ? S 0:00 /usr/sbin/smbd -D
28391 ? Ss 6:24 /usr/bin/python2.3 /usr/bin/twistd
--pidfile=/var/run/apt-proxy//apt-proxy.pid --rundir=/var/run/apt-proxy/
--python=/usr/sbin/apt10985 ? Ss 0:00 sshd: andrea [priv]
10988 ? S 0:01 sshd: andrea@pts/1 10989 pts/1 Ss 0:00
-bash 11889 ? Ss 0:00 /usr/sbin/dhcpd3 -q eth1
11960 ? Ss 0:00 SCREEN -S job1
11961 pts/2 Ss 0:00 /bin/bash
11973 pts/2 S+ 14:30 amuled
12324 pts/1 S 0:00 bash
14768 ? D 0:00 [pdflush]
14773 ? S 0:00 [pdflush]
14780 pts/1 R+ 0:00 ps ax
Sul serverino girano apt-proxy, samba, nfs, mldonkey, amuled, ssh,
freepopsd, dhcpd.
È un falso positivo o devo formattare tutto?
Grazie e ciao
InSa
--
++ Powered by Sid ++
___________________________________
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it
Reply to: