Joey Hess <joeyh@debian.org>:
Thomas Preud'homme wrote:
I don't think it's that important. chkrootkit seems a little hazardous=20
since there was a bug about chkrootkit killing a random process (in=20
fact one of its test was sending a signal to process 12345, this bug=20
has been corrected).
That anyone could code such a thing was astounding.. until I looked at the =
part
of chrootkit's code that's responsible for the "INFECTED PORTS" message:
bindshell () {
PORT=3D"114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|=
4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|4=
5454|47017|47889|60001|7222"
So, rootkits only bind to this small list of high ports? If I were
fwiw, Moe Trin (Old Guy) has been screaming this for years. Ditto
rkhunter. Both of them are _false_ sense of security stuff, as their
tests are trivially bypassed.
They should be removed, or discounted loudly.