Re: Rkhunter warning

To: debian-user@lists.debian.org
Subject: Re: Rkhunter warning
From: Arno Schuring <aelschuring@hotmail.com>
Date: Tue, 27 Dec 2011 20:23:33 +0100
Message-id: <[🔎] 20111227202333.5fe6f133@neminis.intra.loos.site>
In-reply-to: <[🔎] 201112271212.48010.d_baron@012.net.il>
References: <[🔎] 201112271212.48010.d_baron@012.net.il>

David Baron (d_baron@012.net.il on 2011-12-27 12:12 +0200):
> Warning: Network TCP port 13000 is being used by /sbin/rpc.statd.
> Possible rootkit: Possible Universal Rootkit (URK) SSH server
>          Use the 'lsof -i' or 'netstat -an' command to check this.
> 
> rpc.statd is started by nfs-common.
> 
> False alarm? Bug? Serous trouble?

If you have installed rpc.statd and have it running, it could be a
false alarm. Have you tried profiling the port (with an ssh client or
nmap)?

You can ask rpcinfo for confirmation:
$ rpcinfo -p
   program vers proto   port
[..]
    100024    1   udp  20492  status
    100024    1   tcp  20492  status
# lsof -i |grep stat
rpc.statd 15685    statd   5u  IPv4  46309    0t0  UDP *:1021 
rpc.statd 15685    statd   7u  IPv4  46318    0t0  UDP *:20492 
rpc.statd 15685    statd   8u  IPv4  46321    0t0  TCP *:20492 (LISTEN)


By default, rpc.statd uses a random port number. If you restart
nfs-common, chances are that it will pick a different port number. You
can force a different (static) port by editing /etc/default/nfs-common.


Regards,
Arno

Reply to:

References:
- Rkhunter warning
  - From: David Baron <d_baron@012.net.il>

Prev by Date: Re: Data privacy - deletion of messages on your webpage
Next by Date: Re: can't block Facebook application
Previous by thread: Rkhunter warning
Next by thread: icedove set the iceweasel as the default webroswer
Index(es):
- Date
- Thread