thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:[...snip]I talked to the support at the hosting company and they looked at the system and said they couldn't see anything wrong with it - but they can re-image it for me which normally costs a fee. Is it worth re-imaging my system and re-installing everything? I still have no idea what chkrootkit means when it says a port is infected. AdamHi,Chkrootkit is known to fall for quite a few false positive, for example if you run Portsentry or such anti-portscan demon, it also can detect legitimate services like dhcpd or such as sniffers, which isn't really incorrect but not a problem. I never heard of 2881 as being one of those, but maybe getting in touch with the dev team could give you an easy answer.http://www.chkrootkit.org/Maybe the only way to know for sure would be scanning all traffic from another system regarding this port to see if anything suspicious can be spotted, and maybe running an integrity check with debsum or such on conf files, comparing the result with a backup from an earlier state or a known sane system.What would really be interesting is to spot the precise day when the warning first occurred from your system logs, and see if you can spot any change in configuration that could have triggered it (update ?). That is, if your system really is infected you cannot trust anything and especially not the logs...
I got that message in the email from early Saturday morning's cronjob. I have been following instructions on http://www.cert.org/tech_tips/intruder_detection_checklist.html and I found that step 2 (look for setuid and setgid files) produces a file list: root@hardyaa1:~# find / -xdev -user root -perm -4000 -print /bin/su /bin/mount /bin/umount /bin/ping /bin/ping6 /sbin/unix_chkpwd /usr/bin/newgrp /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/passwd /usr/bin/X /usr/bin/sudo /usr/bin/gpg /usr/bin/sudoedit /usr/bin/netselect /usr/bin/traceroute.lbl /usr/lib/pt_chown /usr/lib/openssh/ssh-keysign /usr/lib/apache/suexec.disabled /usr/lib/libfakeroot-tcp.so /usr/lib/libfakeroot-sysv.soAgain, I'm stumbling in the dark here. cert.org doesn't explain what this list of files signifies, it just implies that I shouldn't see it.
Also, I still have no idea what chkrootkit detected which made it decide to send an INFECTED alert on that port.
Regards Adam