Re: INFECTED (PORTS: 600)

To: debian-security@lists.debian.org
Subject: Re: INFECTED (PORTS: 600)
From: Vincent Deffontaines <vincent@gryzor.com>
Date: Fri, 19 May 2006 09:12:07 +0200
Message-id: <[🔎] 446D6FC7.8090009@gryzor.com>
In-reply-to: <[🔎] 19CBD8F69DD33C86833AB917@d216-220-25-20.dynip.modwest.com>
References: <[🔎] 7CE8891E706BC74AB0E49412655C9E76DCAA13@socrates.INT.M-CAM.COM> <[🔎] 19CBD8F69DD33C86833AB917@d216-220-25-20.dynip.modwest.com>

Michael Loftis wrote:
>
>
> --On May 18, 2006 9:17:09 AM -0400 Morgan Walker <jmw@M-CAM.COM> wrote:
>
>>
>>
>> Hey guys,
>>
>>
>>
>> Just new to this mailing list, hope you guys can help me out. I was
>> testing out the chkrootkit package on one of my debian boxes. After
>> running 'chkrootkit --q' I received the following output:
>
> Use lsof and ps to find out who's running that proc and where from. If
> root isn't running it then someone has a hacked binary that's trying
> to hide, if root is, and lsof indicates it's not /sbin/rpc.statd then
> you're owned. It's kind of unusual for statd to show up on such a low
> port but not totally unheard of.


Indeed, root has to be running it. It looks like a privileged port to me.

Vincent Deffontaines

Reply to:

References:
- INFECTED (PORTS: 600)
  - From: "Morgan Walker" <jmw@M-CAM.COM>
- Re: INFECTED (PORTS: 600)
  - From: Michael Loftis <mloftis@modwest.com>

Prev by Date: Re: INFECTED (PORTS: 600)
Next by Date: Re: [SECURITY] [DSA 1058-1] New awstats packages fix arbitrary command execution
Previous by thread: Re: INFECTED (PORTS: 600)
Next by thread: Re: INFECTED (PORTS: 600)
Index(es):
- Date
- Thread