[KLUG Members] chkrootkit returned a positive - Uh-oh... What do I do?

[Tim Gray]

Nevermind.  rpc.statd was running on port 1008 becuase I initially
thought I would most likely wind up using this box as a NFS server.  I
didn't, but forgot to shut down nfs services.

Digging around, I found it, and shut it down.  Whew.

Now chkrootkit doesn't report anything out of the ordinary.  

Prelude's log and my security.log don't show anything out of the
ordinary.

I think I'm okay.  As well as a little better informed than I was at the
start of the day, which means today has been a success.  The rest is
smooth sailing!  Maybe I'll overacheive and try to learn some more
things today...

--Tim

On Fri, 2002-09-20 at 09:48, Tim Gray wrote:
> I ran chkroot kit and the only line in it's output that caught my
> attention was this:
> 
> "Checking `bindshell'... INFECTED (PORTS:  1008)"
> 
> I'm searched my filesystems using "find", "slocate" from the install, as
> well as "find" from the linuxcare bootable cdrom (to ensure it isn't
> that I'm just TOTALLY r00ted) and wasn't able to find bindshell...
> 
> I want to confirm that I'm rooted and explore it if I can.  Otherwise,
> I'm going clean-install everything.
> 
> When I nmap from another system, the "offending" port 1008 is not
> reported as open.
> 
> This system is locked behind a solid firewall, and does not fulfill a
> server role.  
> 
> Is chkrootkit prone to false positives?
> 
> -- 
> Tim Gray
> ADAC Plastics
> 
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
> 
> 
-- 
Tim Gray
ADAC Plastics