[KLUG Members] chkrootkit returned a positive - Uh-oh... What do I do?

Tim Gray members@kalamazoolinux.org
20 Sep 2002 09:48:52 -0400

Previous message: [KLUG Members] New York Times Endorses Linux
Next message: [KLUG Members] chkrootkit returned a positive - Uh-oh... What do I do?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I ran chkroot kit and the only line in it's output that caught my
attention was this:

"Checking `bindshell'... INFECTED (PORTS:  1008)"

I'm searched my filesystems using "find", "slocate" from the install, as
well as "find" from the linuxcare bootable cdrom (to ensure it isn't
that I'm just TOTALLY r00ted) and wasn't able to find bindshell...

I want to confirm that I'm rooted and explore it if I can.  Otherwise,
I'm going clean-install everything.

When I nmap from another system, the "offending" port 1008 is not
reported as open.

This system is locked behind a solid firewall, and does not fulfill a
server role.  

Is chkrootkit prone to false positives?

-- 
Tim Gray
ADAC Plastics

Previous message: [KLUG Members] New York Times Endorses Linux
Next message: [KLUG Members] chkrootkit returned a positive - Uh-oh... What do I do?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]