Bug#420621: marked as done (mldonkey-server: Does not report usage of port 4000 correctly (chkrootkit related))

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Fri, 27 Apr 2007 12:03:01 +0200
with message-id <4631CA55.6030908@ens-lyon.org>
and subject line Bug#420621: mldonkey-server: Does not report usage of port 4000 correctly (chkrootkit related)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: mldonkey-server: Does not report usage of port 4000 correctly (chkrootkit related)
• From: Didier Raboud <didier@raboud.com>
• Date: Mon, 23 Apr 2007 17:23:53 +0200
• Message-id: <[🔎] 20070423152353.21077.4454.reportbug@localhost.localdomain>

Package: mldonkey-server
Version: 2.8.1-2etch1
Severity: normal

Hi, 

it seems that Mldonkey does not report the use of port 4000 (telnet)
correctly, because chkrootkit reports it as "INFECTED", which should not
happen for a program in Debian, no?

Here is the report given by chkrootkit:
----------

>From root@localhost.localdomain Mon Apr 23 07:08:56 2007
Envelope-to: root@localhost.localdomain
Delivery-date: Mon, 23 Apr 2007 07:08:56 +0200
From: root@localhost.localdomain (Cron Daemon)
To: root@localhost.localdomain
Subject: Cron <root@Papageno> test -x /usr/sbin/anacron || ( cd / &&
run-parts --report /etc/cron.daily )
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env:
<PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Date: Mon, 23 Apr 2007 07:08:56 +0200

/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
(...)
INFECTED (PORTS:  4000)
--------

And this is result of nmap
--------
$ nmap localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-23 17:21
CEST
Interesting ports on Papageno (127.0.0.1):
Not shown: 1669 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
113/tcp   open  auth
443/tcp   open  https
4000/tcp  open  remoteanything
6881/tcp  open  bittorent-tracker
9999/tcp  open  abyss
31416/tcp open  boinc-client

Nmap finished: 1 IP address (1 host up) scanned in 0.225 seconds
----------

I will be happy to provide any help and logs needed. 

Regards, 

Didier


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)

Versions of packages mldonkey-server depends on:
ii  adduser                   3.102          Add and remove users and groups
ii  debconf [debconf-2.0]     1.5.11         Debian configuration management sy
ii  dpkg                      1.13.25        package maintenance system for Deb
ii  libbz2-1.0                1.0.3-6        high-quality block-sorting file co
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libgcc1                   1:4.1.1-21     GCC support library
ii  libgd2-noxpm              2.0.33-5.2     GD Graphics Library version 2 (wit
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libstdc++6                4.1.1-21       The GNU Standard C++ Library v3
ii  mime-support              3.39-1         MIME files 'mime.types' & 'mailcap
ii  ucf                       2.0020         Update Configuration File: preserv
ii  zlib1g                    1:1.2.3-13     compression library - runtime

mldonkey-server recommends no packages.

-- debconf information:
* mldonkey-server/max_hard_download_rate: 0
* mldonkey-server/launch_at_startup: true
  mldonkey-server/max_alive: 48
  mldonkey-server/run_as_user: mldonkey
  mldonkey-server/reown_file: false
  mldonkey-server/mldonkey_group: mldonkey
  mldonkey-server/mldonkey_niceness: 0
  mldonkey-server/false_password:
  mldonkey-server/fasttrack_problem:
* mldonkey-server/mldonkey_dir: /var/lib/mldonkey
  mldonkey-server/mldonkey_move: false
* mldonkey-server/max_hard_upload_rate: 0

--- End Message ---

--- Begin Message ---

• To: Didier Raboud <didier@raboud.com>, 420621-done@bugs.debian.org
• Subject: Re: Bug#420621: mldonkey-server: Does not report usage of port 4000 correctly (chkrootkit related)
• From: Samuel Mimram <samuel.mimram@ens-lyon.org>
• Date: Fri, 27 Apr 2007 12:03:01 +0200
• Message-id: <4631CA55.6030908@ens-lyon.org>
• In-reply-to: <[🔎] 20070423152353.21077.4454.reportbug@localhost.localdomain>
• References: <[🔎] 20070423152353.21077.4454.reportbug@localhost.localdomain>

Hi,

Didier Raboud wrote:
> it seems that Mldonkey does not report the use of port 4000 (telnet)
> correctly, because chkrootkit reports it as "INFECTED", which should not
> happen for a program in Debian, no?

Apparently, chkrootkit has a list of ports possibly used by rootkits and
that's all. Quoting /usr/share/doc/chkrootkit/README.FALSE-POSITIVES:

"the well known port issue also comes up frequently.  the problem is
that many well known ports are also used by rootkits (to get around
firewalls and as camouflage).  chkrootkit doesn't currently do any
additional checking when it finds a process listening on a port that's
known to have been used for a rootkit."

So the behavior you mention doesn't seem to be a bug in mldonkey. I'm
closing the bug.

Cheers,

Samuel.

--- End Message ---