Re: chkrootkit infected ports 2881
Adam Hardy on 03/08/08 14:13, wrote:
My webserver system is actually a UML slice of a system at memset.co.uk
and all it does is run Apache Tomcat and sshd and the stuff from memset
- I thought it was pretty safe until I came back today and found my
nightly email report from chkrootkit said:
The following suspicious files and directories were found:
INFECTED (PORTS: 2881)
The .ramfs started appearing when I upgraded chkrootkit, so I never
worried about it, but Friday night's INFECTED alert was a slap in the
face with a wet fish. Saturday night's report went back to normal - no
mention of the port.
I scanned it from grc.com/x/portprobe and it came back as closed.
The only mention I can find in the logs is:
root@hardyaa1:~# grep 2881 /var/log/*
2881 660 1 root disk 0 Wed Apr 30 11:32:37
and that's a PID, not a port, right?
So how bad does this look? Should I clean the system? If it is rooted,
how can I tell what the security flaw was? My password at that point
(since changed) was CE0dff2*£ so if it was a brute force attack, then
wow, they did well.
I talked to the support at the hosting company and they looked at the system and
said they couldn't see anything wrong with it - but they can re-image it for me
which normally costs a fee.
Is it worth re-imaging my system and re-installing everything?
I still have no idea what chkrootkit means when it says a port is infected.