[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: INFECTED (PORTS: 600)



--On May 18, 2006 9:17:09 AM -0400 Morgan Walker <jmw@M-CAM.COM> wrote:




Hey guys,



Just new to this mailing list, hope you guys can help me out.  I was
testing out the chkrootkit package on one of my debian boxes.  After
running ‘chkrootkit –q’ I received the following output:
Use lsof and ps to find out who's running that proc and where from. If root isn't running it then someone has a hacked binary that's trying to hide, if root is, and lsof indicates it's not /sbin/rpc.statd then you're owned. It's kind of unusual for statd to show up on such a low port but not totally unheard of. 





INFECTED (PORTS:  600)



I looked further into and narrowed down to this.  ‘netstat -naptu |
grep 600’ gave me the following ouput:



udp        0      0 0.0.0.0:600             0.0.0.0:*
2120/rpc.statd



I have searched around on other mailing lists and forums, but could never
really get a definitive answer.  Is this a common message for chkrootkit,
should I be worried?  Any help would be great, thanks in advance.



~Morgan



Morgan Walker
Systems Administrator/Engineer
M•CAM, Inc.
Omni Business Center

210 Ridge-McIntire Rd., Suite 300

Charlottesville, VA 22903
434.979.7240 x311



http://www.m-cam.com
=========================================================
This message, including any attachments, is intended solely for the use
of the named recipient(s) and may contain confidential and/or
privileged information.  Any unauthorized review, use, disclosure or
distribution of this communication(s) is expressly prohibited.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy any and all copies of the original message.
Thank you.
=========================================================






--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting
Reply to: