[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chkrootkit infected ports 2881

s. keeling on 06/08/08 03:55, wrote:
Joey Hess <joeyh@debian.org>:
 Thomas Preud'homme wrote:
I don't think it's that important. chkrootkit seems a little hazardous=20
since there was a bug about chkrootkit killing a random process (in=20
fact one of its test was sending a signal to process 12345, this bug=20
has been corrected).
 That anyone could code such a thing was astounding.. until I looked at the =
 of chrootkit's code that's responsible for the "INFECTED PORTS" message:

   bindshell () {

 So, rootkits only bind to this small list of high ports? If I were

fwiw, Moe Trin (Old Guy) has been screaming this for years.  Ditto
rkhunter.  Both of them are _false_ sense of security stuff, as their
tests are trivially bypassed.

They should be removed, or discounted loudly.

OK so I'm convinced chkrootkit is only a small help in the fight against wannabe crackers. But chkrootkit has been giving me warnings of rootkits alot more frequently over the last 10 days since this event happened so I'm going to get the system wiped and re-installed.

The question is, what do I replace chkrootkit with, especially if stuff like rkhunter's not much better?

Reply to: