Re: chkrootkit - possible bad news`

To: <greg@meatplow.com>, <debian-security@lists.debian.org>
Subject: Re: chkrootkit - possible bad news`
From: "Gytis" <gytis@msrautas.lt>
Date: Tue, 24 Feb 2004 09:38:10 +0200
Message-id: <[🔎] 019e01c3faa9$26f34500$0d01a8c0@gytis>
References: <[🔎] 000301c3faa2$f34bc160$64b5a8c0@NOVA>

31337 - are your runing portsentry on that machine ?

Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false positive on
the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp,
1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp,
27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp,
47889/tcp, 60001/tcp).


----- Original Message ----- 
From: "Greg" <greg@meatplow.com>
To: <debian-security@lists.debian.org>
Sent: Tuesday, February 24, 2004 8:53 AM
Subject: chkrootkit - possible bad news`


> I am running Debian on a Dec Alpha PC164.
>
> I decided to run chkrootkit and was surprised by the following line.
>
> Checking `bindshell'... INFECTED (PORTS:  1524 31337)
>
> I am not sure how no interpret this.  I have checked logs, as well as
binary
> checks and everything "seems" fine.  Can someone help me interpret the
logs.
> I will attach them at the tail of the email in case the may be helpful.
>
>
> I don't know what my next step would be.  If in deed I have been 'rooted'
> then I should obviously format and rebuild the server.
>
> Thanks in advance.
>
> Greg MEATPLOW
>
> #################
>  #chkrootkit
>
> alpha:~# chkrootkit
> ROOTDIR is `/'
> Checking `amd'... not found
> Checking `basename'... not infected
> Checking `biff'... not found
> Checking `chfn'... not infected
> Checking `chsh'... not infected
> Checking `cron'... not infected
> Checking `date'... not infected
> Checking `du'... not infected
> Checking `dirname'... not infected
> Checking `echo'... not infected
> Checking `egrep'... not infected
> Checking `env'... not infected
> Checking `find'... not infected
> Checking `fingerd'... not found
> Checking `gpm'... not found
> Checking `grep'... not infected
> Checking `hdparm'... not found
> Checking `su'... not infected
> Checking `ifconfig'... not infected
> Checking `inetd'... not infected
> Checking `inetdconf'... not infected
> Checking `identd'... not found
> Checking `killall'... not found
> Checking `ldsopreload'... not infected
> Checking `login'... not infected
> Checking `ls'... not infected
> Checking `lsof'... not found
> Checking `mail'... not infected
> Checking `mingetty'... not found
> Checking `netstat'... not infected
> Checking `named'... not infected
> Checking `passwd'... not infected
> Checking `pidof'... not infected
> Checking `pop2'... not found
> Checking `pop3'... not found
> Checking `ps'... not infected
> Checking `pstree'... not found
> Checking `rpcinfo'... not infected
> Checking `rlogind'... not found
> Checking `rshd'... not found
> Checking `slogin'... not infected
> Checking `sendmail'... not infected
> Checking `sshd'... not infected
> Checking `syslogd'... not infected
> Checking `tar'... not infected
> Checking `tcpd'... not infected
> Checking `top'... not infected
> Checking `telnetd'... not found
> Checking `timed'... not found
> Checking `traceroute'... not infected
> Checking `write'... not infected
> Checking `aliens'...
> /dev/st- /dev/sto
> Searching for sniffer's logs, it may take a while... nothing found
> Searching for HiDrootkit's default dir... nothing found
> Searching for t0rn's default files and dirs... nothing found
> Searching for t0rn's v8 defaults... nothing found
> Searching for Lion Worm default files and dirs... nothing found
> Searching for RSHA's default files and dir... nothing found
> Searching for RH-Sharpe's default files... nothing found
> Searching for Ambient's rootkit (ark) default files and dirs... nothing
> found
> Searching for suspicious files and dirs, it may take a while... nothing
> found
> Searching for LPD Worm files and dirs... nothing found
> Searching for Ramen Worm files and dirs... nothing found
> Searching for Maniac files and dirs... nothing found
> Searching for RK17 files and dirs... nothing found
> Searching for Ducoci rootkit... nothing found
> Searching for Adore Worm... nothing found
> Searching for ShitC Worm... nothing found
> Searching for Omega Worm... nothing found
> Searching for Sadmind/IIS Worm... nothing found
> Searching for MonKit... nothing found
> Searching for anomalies in shell history files... nothing found
> Checking `asp'... not infected
> Checking `bindshell'... INFECTED (PORTS:  1524 31337)
> Checking `lkm'... nothing detected
> Checking `rexedcs'... not found
> Checking `sniffer'...   eth0 is not promisc
> Checking `wted'... nothing deleted
> Checking `z2'...
> nothing deleted
>
>
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

References:
- chkrootkit - possible bad news`
  - From: "Greg" <greg@meatplow.com>

Prev by Date: Re: chkrootkit - possible bad news`
Next by Date: Re: Tripwire (clone) which would you prefer?
Previous by thread: Re: chkrootkit - possible bad news`
Next by thread: Re: chkrootkit - possible bad news`
Index(es):
- Date
- Thread