Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 21 Nov 2007 12:44:21 +0200
From:      Peter Pentchev <roam@ringlet.net>
To:        Nikolay Pavlov <qpadla@gmail.com>
Cc:        freebsd-security@freebsd.org, JP <johnpollock@bellsouth.net>
Subject:   Re: chkrootkit V. 0.47
Message-ID:  <20071121104421.GA1147@straylight.m.ringlet.net>
In-Reply-To: <200711201901.28546.qpadla@gmail.com>
References:  <200711200941.52719.johnpollock@bellsouth.net> <200711201901.28546.qpadla@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--+QahgC5+KEYLbs62
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote:
> On Tuesday 20 November 2007 16:41:52 JP wrote:
> > Running freeBSD 6.1
> >
> > After changing chkrootkit to the latest version V. 0.47 and compiling it
> > then running it I get the following:
[snip]
> > Checking `bindshell'... INFECTED (PORTS:  6667)
[snip]
> >
> > I do run an IRCd...
>=20
> Such tools is known to trigger false positives sometimes. I'd recommend t=
o=20
> play with some additional utilities like lsof. In case of bindshell try t=
o=20
> find processes that was executed from world writable directories such=20
> as /tmp. Try to shutdown httpd and other daemons and see if any of them=
=20
> still running.=20

The bindshell is most probably a false positive - chkrootkit just
checks if anything is listening on "unusual" ports.  Since 6667 is
one of the most often used well-known ports for IRC communication,
this is most probably a false positive.

G'luck,
Peter

--=20
Peter Pentchev	roam@ringlet.net    roam@cnsys.bg    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just fin=
ished reading.

--+QahgC5+KEYLbs62
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHRAwF7Ri2jRYZRVMRAojrAJ9TqCwFI8sPVoUTcceKuYdU5F1pKwCfShHl
GFwdVNGsNiwtxra7dePjdeM=
=MkAs
-----END PGP SIGNATURE-----

--+QahgC5+KEYLbs62--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071121104421.GA1147>