Date: Fri, 29 Oct 2004 09:24:43 -0400 From: "hutchens" <david.hutchens@drs-sss.com> To: <cordeiro@nic.br> Cc: ports@FreeBSD.org Subject: Errata: incorrect Perl Version - BindShell False Positives FBSD-4.10.p3 Message-ID: <D3E7D4B9902BD6119C3B0002B395D1AE02A5DE60@voodoo.drs-sss.com>
next in thread | raw e-mail | index | archive | help
Many apologies, reported wrong Perl version. Should've been v. 5.8.5 not 5.8.4 >Good Morning; >Running Chkrootkit 0.44 - FreeBSD 4.10-p3 Perl-5.8.4 >Dual p3-650 512MB ECC RAM >Chkrootkit reporting Bindshell Infection on port 145. >netstat -an indicates no connections using that port but is showing the value 145 in the Recv-Q >Proto Recv-Q Send-Q Local Address Foreign Address (state) >tcp4 0 0 *.10082 *.* LISTEN >udp4 0 0 127.0.0.1.4611 127.0.0.1.123 >udp4 145 0 *.1368 *.* >udp4 0 0 127.0.0.1.53 *.* >I've obs this twice so far for the 145 value. I've also had Bindshell reports on port 114 and believe those to have been inaccurate >as well (unable to detect any problems with other tools automatically launched upon the chkrootkit report - rkhunter/lsof and manual/scheduled >scans with Kaspersky & Clam AV). >At the time I was getting reports ref port 114 I had not looked at the Chkrootkit Code & therefore did not set a trigger to run netstat -an upon a Chkrootkit alert as >I have with port 145. >If there is any other info I can provide please let me know, thanks for your hard work Sincerely; David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. (727) 541-6681 ext.3313 david.hutchens@drs-sss.com <mailto:david.hutchens@drs-sss.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D3E7D4B9902BD6119C3B0002B395D1AE02A5DE60>