From owner-freebsd-security@FreeBSD.ORG  Sun Mar 30 10:14:55 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6130237B404
	for <freebsd-security@freebsd.org>;
	Sun, 30 Mar 2003 10:14:53 -0800 (PST)
Received: from fat_man.ascendency.net (12-211-152-75.client.attbi.com
	[12.211.152.75])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9A68043FD7
	for <freebsd-security@freebsd.org>;
	Sun, 30 Mar 2003 10:14:52 -0800 (PST)
	(envelope-from mike@ascendency.net)
Received: from mike (user-119bct7.biz.mindspring.com [66.149.179.167])
	(authenticated)
	by fat_man.ascendency.net (8.11.6/8.11.6) with ESMTP id h2SAi5H95772
	for <freebsd-security@freebsd.org>;
	Fri, 28 Mar 2003 04:44:06 -0600 (CST)
	(envelope-from mike@ascendency.net)
From: "Mike Loiterman" <mike@ascendency.net>
To: <freebsd-security@freebsd.org>
Date: Fri, 28 Mar 2003 04:41:32 -0600
Message-ID: <020301c2f516$9ab16d80$0301a8c0@mike>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mailman-Approved-At: Sun, 30 Mar 2003 10:56:26 -0800
Subject: Bindshell rootkit
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: mike@ascendency.net
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Mar 2003 18:14:57 -0000

=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was just running chkrootkit on my system and it is reporting bindshell =
as infected on port 114.

Other then that message, my system is clean.  Tripwire doesn't detect =
and changes and nothing else (daily run or secuirty reporr) gave any =
unusal errors.

The chkroot README says that running PORTSENTRY or klaxon will give a =
false positive, but I'm running neither.  I suspect something =
(legitimate) else is running.  How can I determine for sure?  Is my =
system really compromised?

- ------------------------------
Mike Loiterman
grantADLER Medical Corporation
Ph:  630-302-4944
Fax:  773-868-0071
PGP Key 0xD1B9D18E=20

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: This message has been digitally signed by Mike Loiterman

iQA/AwUBPoQm22jZbUnRudGOEQLH5gCg9qMRGxjNIDLKcxInyKMESZPf03IAn1hK
Mds09fVPu9eDz6fVQ+WQ6wkN
=3DBx9q
-----END PGP SIGNATURE-----