Going through system mail, I found several chkrootkit runs showing a
possible bindshell exploit:
Checking `bindshell'... INFECTED (PORTS: 600)
On checking with 'chkrootkit -x bindshell', turns out that I had a
process open on port 600 UDP:
udp 0 0 0.0.0.0:600 0.0.0.0:*
That's output of 'netstat -na'. Running (thanks, bodq on #debian IRC)
'netstat -nupl', I see this is rpc.statd, which runs as part of my NFS
client configuration. This process requests an arbitrary port from the
portmapper at startup, and isn't assigned a consistent port on multiple
invocations.
Restarting the nfs-common services (/etc/init.d/nfs-common restart)
reassigned the port and cleared the ckrootkit report.
Seems chkrootkit might want to check against known good services running
on arbitrary ports.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
What must be, must be.
Attachment:
signature.asc
Description: Digital signature