[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881

Adam Hardy on 04/08/08 14:50, wrote:
thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.

Is it worth re-imaging my system and re-installing everything?

I still have no idea what chkrootkit means when it says a port is


Chkrootkit is known to fall for quite a few false positive, for example if you run Portsentry or such anti-portscan demon, it also can detect legitimate services like dhcpd or such as sniffers, which isn't really incorrect but not a problem. I never heard of 2881 as being one of those, but maybe getting in touch with the dev team could give you an easy answer.

Maybe the only way to know for sure would be scanning all traffic from another system regarding this port to see if anything suspicious can be spotted, and maybe running an integrity check with debsum or such on conf files, comparing the result with a backup from an earlier state or a known sane system.

What would really be interesting is to spot the precise day when the warning first occurred from your system logs, and see if you can spot any change in configuration that could have triggered it (update ?). That is, if your system really is infected you cannot trust anything and especially not the logs...

I got that message in the email from early Saturday morning's cronjob.

I have been following instructions on


and I found that step 2 (look for setuid and setgid files) produces a file list:

root@hardyaa1:~# find / -xdev -user root -perm -4000 -print

Again, I'm stumbling in the dark here. cert.org doesn't explain what this list of files signifies, it just implies that I shouldn't see it.

Also, I still have no idea what chkrootkit detected which made it decide to send an INFECTED alert on that port.

More suspicious stuff has turned up in my investigations. The following is the nmap output when I run it from the suspect rooted system:

Not shown: 65529 closed ports
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
443/tcp   open  https
3306/tcp  open  mysql
12121/tcp open  unknown

But when I run nmap from my home machine to scan it remotely, I see these extra ports are open:

Not shown: 65524 closed ports
22/tcp    open     ssh
25/tcp    open     smtp
80/tcp    open     http
443/tcp   open     https
1720/tcp  filtered H.323/Q.931
3306/tcp  open     mysql
6666/tcp  filtered irc
6667/tcp  filtered irc
6668/tcp  filtered irc
6669/tcp  filtered irc
12121/tcp open     unknown

So I have 1720, 6666, 6667, 6668 and 6669 open and nmap is ignoring them. Isn't that conclusive evidence that nmap on the suspected machine is some hacker's version?

Reply to: