Re: chkrootkit infected ports 2881
Joey Hess <joeyh@debian.org>:
>
> Thomas Preud'homme wrote:
> > I don't think it's that important. chkrootkit seems a little hazardous=20
> > since there was a bug about chkrootkit killing a random process (in=20
> > fact one of its test was sending a signal to process 12345, this bug=20
> > has been corrected).
>
> That anyone could code such a thing was astounding.. until I looked at the =
> part
> of chrootkit's code that's responsible for the "INFECTED PORTS" message:
>
> bindshell () {
> PORT=3D"114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|=
> 4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|4=
> 5454|47017|47889|60001|7222"
>
> So, rootkits only bind to this small list of high ports? If I were
fwiw, Moe Trin (Old Guy) has been screaming this for years. Ditto
rkhunter. Both of them are _false_ sense of security stuff, as their
tests are trivially bypassed.
They should be removed, or discounted loudly.
--
Any technology distinguishable from magic is insufficiently advanced.
(*) http://blinkynet.net/comp/uip5.html Linux Counter #80292
- - http://www.faqs.org/rfcs/rfc1855.html Please, don't Cc: me.
Reply to: