Monday 04 August 2008, Adam Hardy wrote : > thveillon.debian on 04/08/08 13:48, wrote: > >>>> Adam Hardy on 03/08/08 14:13, wrote: > > > > [...snip] > > > >>>> I talked to the support at the hosting company and they looked > >>>> at the system and said they couldn't see anything wrong with it > >>>> - but they can re-image it for me which normally costs a fee. > >>>> > >>>> Is it worth re-imaging my system and re-installing everything? > >>>> > >>>> I still have no idea what chkrootkit means when it says a port > >>>> is infected. > >>>> > >>>> > >>>> Adam > > > > Hi, > > Chkrootkit is known to fall for quite a few false positive, for > > example if you run Portsentry or such anti-portscan demon, it also > > can detect legitimate services like dhcpd or such as sniffers, > > which isn't really incorrect but not a problem. I never heard of > > 2881 as being one of those, but maybe getting in touch with the dev > > team could give you an easy answer. > > http://www.chkrootkit.org/ > > > > Maybe the only way to know for sure would be scanning all traffic > > from another system regarding this port to see if anything > > suspicious can be spotted, and maybe running an integrity check > > with debsum or such on conf files, comparing the result with a > > backup from an earlier state or a known sane system. > > > > What would really be interesting is to spot the precise day when > > the warning first occurred from your system logs, and see if you > > can spot any change in configuration that could have triggered it > > (update ?). That is, if your system really is infected you cannot > > trust anything and especially not the logs... > > I got that message in the email from early Saturday morning's > cronjob. > > I have been following instructions on > > http://www.cert.org/tech_tips/intruder_detection_checklist.html > > and I found that step 2 (look for setuid and setgid files) produces a > file list: > > root@hardyaa1:~# find / -xdev -user root -perm -4000 -print > /bin/su > /bin/mount > /bin/umount > /bin/ping > /bin/ping6 > /sbin/unix_chkpwd > /usr/bin/newgrp > /usr/bin/chfn > /usr/bin/chsh > /usr/bin/gpasswd > /usr/bin/passwd > /usr/bin/X > /usr/bin/sudo > /usr/bin/gpg > /usr/bin/sudoedit > /usr/bin/netselect > /usr/bin/traceroute.lbl > /usr/lib/pt_chown > /usr/lib/openssh/ssh-keysign > /usr/lib/apache/suexec.disabled > /usr/lib/libfakeroot-tcp.so > /usr/lib/libfakeroot-sysv.so > > Again, I'm stumbling in the dark here. cert.org doesn't explain what > this list of files signifies, it just implies that I shouldn't see > it. > > Also, I still have no idea what chkrootkit detected which made it > decide to send an INFECTED alert on that port. > > > Regards > Adam Executables with setuid set and user root will have root rights even if they are launched by a user not being root. Programs with setuid set are launched with the right of the owner of the program (here root). So it could be security hole and the list of such programs must be as smaller as possible. Here I don't see strange program which shouldn't have setuid set so it's fine don't worry. Regards, Thomas Preud'homme -- Why Debian : http://www.debian.org/intro/why_debian
Attachment:
signature.asc
Description: This is a digitally signed message part.