Re: /bin/login listening?

[Jeff D <fixedored@gmail.com>]

On Sat, 28 Jul 2007, Tyler Smith wrote:

> Hi,
>
> rkhunter has turned up a new warning for me:
>
> > Found warnings:
> > [16:37:42] Checking for packet capturing applications... Warning
> > [16:37:43] Warning! Process /bin/login (3888) listening
> > [16:37:43] Warning! Process /bin/login (3888) listening
> > [16:37:43] Warning! Process /bin/login (3888) listening
> > [16:37:43] Warning! Process /bin/login (3888) listening
> > [16:37:43] Warning! Process /sbin/dhclient (4197) listening
> > [16:37:43] WARNING, found:  /etc/.java (directory)  /dev/.static (directory)  /dev/.udev (directory)  /dev/.initramfs (directory)
>
> The /bin/login hasn't shown up before. Is this something I need to
> worry about?
>
> Thanks,
>
> Tyler
>
>
> --

Normally /bin/login shouldn't be listening. A couple things you could do 
to see if it is listneing is:
lsof -i -n  | grep LISTEN
if it is listening, it should show up there. providing lsof hasnt been 
comprimised.
if you have another machine available to you, run an nmap scan on it 
like so:
nmap -sV hostname

if those show up true, it's likely that you have a rootkit installed and 
should pull the network cable from the machine and rebuild.

jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.