[KLUG Members] chkrootkit returned a positive - Uh-oh... What
do I do?
Tim Gray
members@kalamazoolinux.org
20 Sep 2002 11:27:46 -0400
Nevermind. rpc.statd was running on port 1008 becuase I initially
thought I would most likely wind up using this box as a NFS server. I
didn't, but forgot to shut down nfs services.
Digging around, I found it, and shut it down. Whew.
Now chkrootkit doesn't report anything out of the ordinary.
Prelude's log and my security.log don't show anything out of the
ordinary.
I think I'm okay. As well as a little better informed than I was at the
start of the day, which means today has been a success. The rest is
smooth sailing! Maybe I'll overacheive and try to learn some more
things today...
--Tim
On Fri, 2002-09-20 at 09:48, Tim Gray wrote:
> I ran chkroot kit and the only line in it's output that caught my
> attention was this:
>
> "Checking `bindshell'... INFECTED (PORTS: 1008)"
>
> I'm searched my filesystems using "find", "slocate" from the install, as
> well as "find" from the linuxcare bootable cdrom (to ensure it isn't
> that I'm just TOTALLY r00ted) and wasn't able to find bindshell...
>
> I want to confirm that I'm rooted and explore it if I can. Otherwise,
> I'm going clean-install everything.
>
> When I nmap from another system, the "offending" port 1008 is not
> reported as open.
>
> This system is locked behind a solid firewall, and does not fulfill a
> server role.
>
> Is chkrootkit prone to false positives?
>
> --
> Tim Gray
> ADAC Plastics
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>
>
--
Tim Gray
ADAC Plastics