Re: chkrootkit infected ports 2881

["s. keeling" <keeling@nucleus.com>]

Joey Hess <joeyh@debian.org>:
> 
>  Thomas Preud'homme wrote:
> > I don't think it's that important. chkrootkit seems a little hazardous=20
> > since there was a bug about chkrootkit killing a random process (in=20
> > fact one of its test was sending a signal to process 12345, this bug=20
> > has been corrected).
> 
>  That anyone could code such a thing was astounding.. until I looked at the =
>  part
>  of chrootkit's code that's responsible for the "INFECTED PORTS" message:
> 
>    bindshell () {
>    PORT=3D"114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|=
>  4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|4=
>  5454|47017|47889|60001|7222"
> 
>  So, rootkits only bind to this small list of high ports? If I were

fwiw, Moe Trin (Old Guy) has been screaming this for years.  Ditto
rkhunter.  Both of them are _false_ sense of security stuff, as their
tests are trivially bypassed.

They should be removed, or discounted loudly.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)    http://blinkynet.net/comp/uip5.html      Linux Counter #80292
- -    http://www.faqs.org/rfcs/rfc1855.html    Please, don't Cc: me.