--- Begin Message ---
Package: mldonkey-server
Version: 2.8.1-2etch1
Severity: normal
Hi,
it seems that Mldonkey does not report the use of port 4000 (telnet)
correctly, because chkrootkit reports it as "INFECTED", which should not
happen for a program in Debian, no?
Here is the report given by chkrootkit:
----------
>From root@localhost.localdomain Mon Apr 23 07:08:56 2007
Envelope-to: root@localhost.localdomain
Delivery-date: Mon, 23 Apr 2007 07:08:56 +0200
From: root@localhost.localdomain (Cron Daemon)
To: root@localhost.localdomain
Subject: Cron <root@Papageno> test -x /usr/sbin/anacron || ( cd / &&
run-parts --report /etc/cron.daily )
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env:
<PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <LOGNAME=root>
Date: Mon, 23 Apr 2007 07:08:56 +0200
/etc/cron.daily/chkrootkit:
The following suspicious files and directories were found:
(...)
INFECTED (PORTS: 4000)
--------
And this is result of nmap
--------
$ nmap localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-04-23 17:21
CEST
Interesting ports on Papageno (127.0.0.1):
Not shown: 1669 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
113/tcp open auth
443/tcp open https
4000/tcp open remoteanything
6881/tcp open bittorent-tracker
9999/tcp open abyss
31416/tcp open boinc-client
Nmap finished: 1 IP address (1 host up) scanned in 0.225 seconds
----------
I will be happy to provide any help and logs needed.
Regards,
Didier
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=fr_CH.UTF-8, LC_CTYPE=fr_CH.UTF-8 (charmap=UTF-8)
Versions of packages mldonkey-server depends on:
ii adduser 3.102 Add and remove users and groups
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii dpkg 1.13.25 package maintenance system for Deb
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libgcc1 1:4.1.1-21 GCC support library
ii libgd2-noxpm 2.0.33-5.2 GD Graphics Library version 2 (wit
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii mime-support 3.39-1 MIME files 'mime.types' & 'mailcap
ii ucf 2.0020 Update Configuration File: preserv
ii zlib1g 1:1.2.3-13 compression library - runtime
mldonkey-server recommends no packages.
-- debconf information:
* mldonkey-server/max_hard_download_rate: 0
* mldonkey-server/launch_at_startup: true
mldonkey-server/max_alive: 48
mldonkey-server/run_as_user: mldonkey
mldonkey-server/reown_file: false
mldonkey-server/mldonkey_group: mldonkey
mldonkey-server/mldonkey_niceness: 0
mldonkey-server/false_password:
mldonkey-server/fasttrack_problem:
* mldonkey-server/mldonkey_dir: /var/lib/mldonkey
mldonkey-server/mldonkey_move: false
* mldonkey-server/max_hard_upload_rate: 0
--- End Message ---
--- Begin Message ---
Hi,
Didier Raboud wrote:
> it seems that Mldonkey does not report the use of port 4000 (telnet)
> correctly, because chkrootkit reports it as "INFECTED", which should not
> happen for a program in Debian, no?
Apparently, chkrootkit has a list of ports possibly used by rootkits and
that's all. Quoting /usr/share/doc/chkrootkit/README.FALSE-POSITIVES:
"the well known port issue also comes up frequently. the problem is
that many well known ports are also used by rootkits (to get around
firewalls and as camouflage). chkrootkit doesn't currently do any
additional checking when it finds a process listening on a port that's
known to have been used for a rootkit."
So the behavior you mention doesn't seem to be a bug in mldonkey. I'm
closing the bug.
Cheers,
Samuel.
--- End Message ---