From owner-freebsd-questions@FreeBSD.ORG  Tue Oct 18 13:56:33 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: questions@freebsd.org
Delivered-To: freebsd-questions@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 82E7F16A41F
	for <questions@freebsd.org>; Tue, 18 Oct 2005 13:56:33 +0000 (GMT)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: from mail25.sea5.speakeasy.net (mail25.sea5.speakeasy.net
	[69.17.117.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3911543D46
	for <questions@freebsd.org>; Tue, 18 Oct 2005 13:56:33 +0000 (GMT)
	(envelope-from freebsd-questions-local@be-well.ilk.org)
Received: (qmail 5635 invoked from network); 18 Oct 2005 13:19:04 -0000
Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org)
	([66.92.78.145])
	(envelope-sender <freebsd-questions-local@be-well.ilk.org>)
	by mail25.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP
	for <questions@freebsd.org>; 18 Oct 2005 13:19:04 -0000
Received: by be-well.ilk.org (Postfix, from userid 1147)
	id C6BBB2B; Tue, 18 Oct 2005 09:19:03 -0400 (EDT)
Sender: lowell@be-well.ilk.org
To: Paul Schmehl <pauls@utdallas.edu>
References: <9418EAA207FFABD51C8A52A1@utd59514.utdallas.edu>
From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org>
Date: 18 Oct 2005 09:19:03 -0400
In-Reply-To: <9418EAA207FFABD51C8A52A1@utd59514.utdallas.edu>
Message-ID: <44mzl70xq0.fsf@be-well.ilk.org>
Lines: 14
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: questions@freebsd.org
Subject: Re: chkrootkit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Oct 2005 13:56:33 -0000

Paul Schmehl <pauls@utdallas.edu> writes:

> Out of curiosity more than anything else, I installed chkrootkit on a
> server I maintain and ran it.  It returned this:
> 
> Checking `bindshell'... INFECTED (PORTS:  465)
> 
> I'm running smtps on that server, so this is apparently a false
> positive. Has anyone else seen this?

A *very* quick look at the source makes me think that the check isn't
doing much more than checking for the port being open, in which case
you're right.  If you don't get a more knowledgeable answer from this
mailing list, though, you should go to the chkrootkit folks.