From owner-freebsd-security@FreeBSD.ORG Wed Nov 21 11:11:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E7216A46B for ; Wed, 21 Nov 2007 11:11:05 +0000 (UTC) (envelope-from roam@straylight.ringlet.net) Received: from straylight.ringlet.net (nat109.cnsys.bg [85.95.80.109]) by mx1.freebsd.org (Postfix) with SMTP id 1B11E13C468 for ; Wed, 21 Nov 2007 11:11:04 +0000 (UTC) (envelope-from roam@straylight.ringlet.net) Received: (qmail 71264 invoked by uid 1000); 21 Nov 2007 10:44:21 -0000 Date: Wed, 21 Nov 2007 12:44:21 +0200 From: Peter Pentchev To: Nikolay Pavlov Message-ID: <20071121104421.GA1147@straylight.m.ringlet.net> Mail-Followup-To: Nikolay Pavlov , freebsd-security@freebsd.org, JP References: <200711200941.52719.johnpollock@bellsouth.net> <200711201901.28546.qpadla@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+QahgC5+KEYLbs62" Content-Disposition: inline In-Reply-To: <200711201901.28546.qpadla@gmail.com> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org, JP Subject: Re: chkrootkit V. 0.47 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2007 11:11:05 -0000 --+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote: > On Tuesday 20 November 2007 16:41:52 JP wrote: > > Running freeBSD 6.1 > > > > After changing chkrootkit to the latest version V. 0.47 and compiling it > > then running it I get the following: [snip] > > Checking `bindshell'... INFECTED (PORTS: 6667) [snip] > > > > I do run an IRCd... >=20 > Such tools is known to trigger false positives sometimes. I'd recommend t= o=20 > play with some additional utilities like lsof. In case of bindshell try t= o=20 > find processes that was executed from world writable directories such=20 > as /tmp. Try to shutdown httpd and other daemons and see if any of them= =20 > still running.=20 The bindshell is most probably a false positive - chkrootkit just checks if anything is listening on "unusual" ports. Since 6667 is one of the most often used well-known ports for IRC communication, this is most probably a false positive. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHRAwF7Ri2jRYZRVMRAojrAJ9TqCwFI8sPVoUTcceKuYdU5F1pKwCfShHl GFwdVNGsNiwtxra7dePjdeM= =MkAs -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62--