Re: False positive chkrootkit report for rpc.statd process as 'bindshell' exploit
Incoming from Karsten M. Self:
> Going through system mail, I found several chkrootkit runs showing a
> possible bindshell exploit:
>
> Checking `bindshell'... INFECTED (PORTS: 600)
> On checking with 'chkrootkit -x bindshell', turns out that I had a
> process open on port 600 UDP:
>
> udp 0 0 0.0.0.0:600 0.0.0.0:*
>
> That's output of 'netstat -na'. Running (thanks, bodq on #debian IRC)
> 'netstat -nupl', I see this is rpc.statd, which runs as part of my NFS
> client configuration. This process requests an arbitrary port from the
> portmapper at startup, and isn't assigned a consistent port on multiple
> invocations.
>
> Restarting the nfs-common services (/etc/init.d/nfs-common restart)
> reassigned the port and cleared the ckrootkit report.
>
> Seems chkrootkit might want to check against known good services running
> on arbitrary ports.
Perhaps I'm missing your point, but I've got something like that
happening here and chkrootkit's never complained about it:
-----------------------------------------------
(0) root /root_ netstat -nupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:53 0.0.0.0:* 374/
(0) root /root_ ps -ef | grep 374
nobody 374 1 0 Mar19 ? 00:00:00 [maradns]
-----------------------------------------------
I've no idea why it would be complaining about yours, except for the
"arbitrary port" bit. Have you reported this to chkrootkit?
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://www.spots.ab.ca/~keeling
- -
Reply to: