From owner-freebsd-ports@FreeBSD.ORG  Fri Oct 29 13:20:06 2004
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0BE3316A4D2
	for <ports@FreeBSD.org>; Fri, 29 Oct 2004 13:20:06 +0000 (GMT)
Received: from kruger.drs-sss.com (kruger.drs-sss.com [12.153.72.219])
	by mx1.FreeBSD.org (Postfix) with SMTP id 632FB43D54
	for <ports@FreeBSD.org>; Fri, 29 Oct 2004 13:20:05 +0000 (GMT)
	(envelope-from david.hutchens@drs-sss.com)
Received: (qmail 49281 invoked by uid 98); 29 Oct 2004 13:17:27 -0000
Received: from david.hutchens@drs-sss.com by kruger.drs-sss.com by uid 82 with
	qmail-scanner-1.22  ( Clear:RC:1(192.168.115.233):. 
	Processed in 0.120423 secs); 29 Oct 2004 13:17:27 -0000
X-Qmail-Scanner-Mail-From: david.hutchens@drs-sss.com via kruger.drs-sss.com
X-Qmail-Scanner: 1.22 (Clear:RC:1(192.168.115.233):. Processed in 0.120423
	secs)
Received: from rads61.drs-sss.com (HELO rads61) (192.168.115.233)
  by kruger.drs-sss.com with SMTP; 29 Oct 2004 13:17:27 -0000
From: "hutchens" <david.hutchens@drs-sss.com>
To: <cordeiro@nic.br>
Date: Fri, 29 Oct 2004 09:19:59 -0400
Message-ID: <D3E7D4B9902BD6119C3B0002B395D1AE02A5DE5F@voodoo.drs-sss.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
cc: ports@FreeBSD.org
Subject: BindShell False Positives FBSD-4.10.p3
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Oct 2004 13:20:06 -0000

Good Morning;

Running Chkrootkit 0.44 - FreeBSD 4.10-p3 Perl-5.8.4

Dual p3-650	512MB ECC RAM

Chkrootkit reporting Bindshell Infection on port 145.

netstat -an indicates no connections using that port but is showing the
value 145 in the Recv-Q

Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)


tcp4       0      0  *.10082                *.*                    LISTEN
udp4       0      0  127.0.0.1.4611         127.0.0.1.123
udp4     145      0  *.1368                 *.*
udp4       0      0  127.0.0.1.53           *.*

I've obs this twice so far for the 145 value.  I've also had Bindshell
reports on port 114 and believe those to have been inaccurate
as well (unable to detect any problems with other tools automatically
launched upon the chkrootkit report - rkhunter/lsof and manual/scheduled
scans with Kaspersky & Clam AV).

At the time I was getting reports ref port 114 I had not looked at the
Chkrootkit Code & therefore did not set a trigger to run netstat -an upon a
Chkrootkit alert as I have with port 145.

If there is any other info I can provide please let me know, thanks for your
hard work.

Sincerely;

David Hutchens III
Network Technician
DRS Surveillance Support Systems - A division of DRS Technologies.
(727) 541-6681 ext.3313
david.hutchens@drs-sss.com <mailto:david.hutchens@drs-sss.com>