Re: Rkhunter warning
David Baron (d_baron@012.net.il on 2011-12-27 12:12 +0200):
> Warning: Network TCP port 13000 is being used by /sbin/rpc.statd.
> Possible rootkit: Possible Universal Rootkit (URK) SSH server
> Use the 'lsof -i' or 'netstat -an' command to check this.
>
> rpc.statd is started by nfs-common.
>
> False alarm? Bug? Serous trouble?
If you have installed rpc.statd and have it running, it could be a
false alarm. Have you tried profiling the port (with an ssh client or
nmap)?
You can ask rpcinfo for confirmation:
$ rpcinfo -p
program vers proto port
[..]
100024 1 udp 20492 status
100024 1 tcp 20492 status
# lsof -i |grep stat
rpc.statd 15685 statd 5u IPv4 46309 0t0 UDP *:1021
rpc.statd 15685 statd 7u IPv4 46318 0t0 UDP *:20492
rpc.statd 15685 statd 8u IPv4 46321 0t0 TCP *:20492 (LISTEN)
By default, rpc.statd uses a random port number. If you restart
nfs-common, chances are that it will pick a different port number. You
can force a different (static) port by editing /etc/default/nfs-common.
Regards,
Arno
Reply to: