Re: chkrootkit infected ports 2881

[Adam Hardy <adam.ant@cyberspaceroad.com>]

s. keeling on 06/08/08 03:55, wrote:
> Joey Hess <joeyh@debian.org>:
> >  Thomas Preud'homme wrote:
> > > I don't think it's that important. chkrootkit seems a little hazardous=20
> > > since there was a bug about chkrootkit killing a random process (in=20
> > > fact one of its test was sending a signal to process 12345, this bug=20
> > > has been corrected).
> >  That anyone could code such a thing was astounding.. until I looked at the =
> >  part
> >  of chrootkit's code that's responsible for the "INFECTED PORTS" message:
> >
> >    bindshell () {
> >    PORT=3D"114|145|465|511|600|1008|1524|1999|1978|2881|3049|3133|3879|4000|=
> >  4369|5190|5665|6667|10008|12321|23132|27374|29364|30999|31336|31337|37998|4=
> >  5454|47017|47889|60001|7222"
> >
> >  So, rootkits only bind to this small list of high ports? If I were
>
> fwiw, Moe Trin (Old Guy) has been screaming this for years.  Ditto
> rkhunter.  Both of them are _false_ sense of security stuff, as their
> tests are trivially bypassed.
>
> They should be removed, or discounted loudly.

OK so I'm convinced chkrootkit is only a small help in the fight against wannabe 
crackers. But chkrootkit has been giving me warnings of rootkits alot more 
frequently over the last 10 days since this event happened so I'm going to get 
the system wiped and re-installed.

The question is, what do I replace chkrootkit with, especially if stuff like 
rkhunter's not much better?