Chkrootkit e risultati

To: Debian Italia <debian-italian@lists.debian.org>
Subject: Chkrootkit e risultati
From: InSa <REMOVEinsa_hc@yahoo.it>
Date: Tue, 21 Jun 2005 15:29:02 +0200
Message-id: <[🔎] 20050621152902.356204c3.REMOVEinsa_hc@yahoo.it>

Salve a tutti,

sul mio serverino casalingo (sarge) oggi ho eseguito chkrootkit e mi son
ritrovato con questo risultato:

Checking `bindshell'... INFECTED (PORTS:  4000)

Nmap mi dice che sono aperte queste porte:
22/tcp   open  ssh
111/tcp  open  rpcbind
113/tcp  open  auth
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
601/tcp  open  unknown
604/tcp  open  unknown
901/tcp  open  samba-swat
1214/tcp open  fasttrack
2000/tcp open  callbook
2049/tcp open  nfs
4000/tcp open  remoteanything
6346/tcp open  gnutella
9999/tcp open  abyss

Mentre per ps ax girano questi processi:
    1 ?        S      0:04 init [2]
    2 ?        SN     0:00 [ksoftirqd/0]
    3 ?        S<     0:00 [events/0]
    4 ?        S<     0:00 [khelper]
   21 ?        S<     1:28 [kblockd/0]
   45 ?        S<     0:00 [aio/0]
   44 ?        S     12:21 [kswapd0]
  187 ?        S      0:00 [kseriod]
  293 ?        D<     0:21 [reiserfs/0]
  764 ?        S      0:00 [khubd]
 1449 ?        Ss     0:00 /sbin/portmap
 1603 ?        Ss     0:15 /sbin/syslogd
 1606 ?        Ss     0:00 /sbin/klogd
 1659 ?        Ss     0:00 /usr/sbin/inetd
 1691 ?        Ss     0:00 /sbin/rpc.statd
 1694 ?        Ss    30:16 /usr/sbin/rpc.nfsd
 1696 ?        S      0:03 /usr/sbin/rpc.mountd
 1699 ?        Ss     0:00 /usr/sbin/atd
 1702 ?        Ss     0:02 /usr/sbin/cron
 1759 tty1     Ss+    0:00 /sbin/getty 38400 tty1
 1765 tty2     Ss+    0:00 /sbin/getty 38400 tty2
 1766 tty3     Ss+    0:00 /sbin/getty 38400 tty3
 1767 tty4     Ss+    0:00 /sbin/getty 38400 tty4
 1768 tty5     Ss+    0:00 /sbin/getty 38400 tty5
 1814 tty6     Ss+    0:00 /sbin/getty 38400 tty6
 2818 ?        Ss     0:00 /usr/sbin/sshd
 5153 ?        Ss     0:00 /usr/bin/freepopsd -n -b 192.168.0.1
  578 ?        D    242:44 ./mlnet
  579 ?        S      0:02 ./mlnet
  580 ?        SN     0:01 ./mlnet
 1213 ?        SN     4:51 ./mlnet
19771 ?        Ss     0:26 /usr/sbin/nmbd -D
19772 ?        Ss     0:00 /usr/sbin/smbd -D
19773 ?        S      0:00 /usr/sbin/smbd -D
28391 ?        Ss     6:24 /usr/bin/python2.3 /usr/bin/twistd
--pidfile=/var/run/apt-proxy//apt-proxy.pid --rundir=/var/run/apt-proxy/
--python=/usr/sbin/apt10985 ?        Ss     0:00 sshd: andrea [priv]
10988 ?        S      0:01 sshd: andrea@pts/1 10989 pts/1    Ss     0:00
-bash 11889 ?        Ss     0:00 /usr/sbin/dhcpd3 -q eth1
11960 ?        Ss     0:00 SCREEN -S job1
11961 pts/2    Ss     0:00 /bin/bash
11973 pts/2    S+    14:30 amuled
12324 pts/1    S      0:00 bash
14768 ?        D      0:00 [pdflush]
14773 ?        S      0:00 [pdflush]
14780 pts/1    R+     0:00 ps ax

Sul serverino girano apt-proxy, samba, nfs, mldonkey, amuled, ssh,
freepopsd, dhcpd.

È un falso positivo o devo formattare tutto?

Grazie e ciao
InSa

-- 
++ Powered by Sid ++





___________________________________
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB
http://mail.yahoo.it

Reply to:

Follow-Ups:
- Re: Chkrootkit e risultati
  - From: pipex_0604@users.gamebox.net
- Re: Chkrootkit e risultati
  - From: Marco Valli <marco@bastardi.net>
- Re: Chkrootkit e risultati
  - From: Ottavio Campana <ottavio@campana.vi.it>

Prev by Date: Re: apt come utente
Next by Date: Re: Chkrootkit e risultati
Previous by thread: Re: apt come utente
Next by thread: Re: Chkrootkit e risultati
Index(es):
- Date
- Thread