Hi!
I'm running chkrootkit on my workstation, just for testing. After the
last reboot it found:
Checking `bindshell'... INFECTED (PORTS: 600)
Slightly shocking on a workstation without direct Internet connectivity.
Doing an "lsof -i :600" showed rpc.statd using this port. Huh? Why a low
port? On Solaris, rpc.statd runs on an ancillary port (> 32767).
Browsing through the source of rpc.statd, I found this:
if (bindresvport (sock, &addr))
It's called if rpc.statd has not been assigned a port to operate on
(option -p or --port).
On the security-audit mailing list, Olaf Kirch said
I don't recall whether lockd wants that call to originate from a
privileged port.
I can't find anything like that in the sources. Since I have no code
that locks a file on an NFS-mounted filesystem, I can't verify this (run
rpc.statd -p $unpriv_port, try locking).
And since requiring a low port would break locking between a Solaris and
a Linux box, I doubt this would be a good idea.
Opinions? Comments?
Thanks,
Lupe Christoph
--
| [EMAIL PROTECTED] | http://www.lupe-christoph.de/ |
| Big Misunderstandings #6398: The Titanic was not supposed to be |
| unsinkable. The designer had a speech impediment. He said: "I have |
| thith great unthinkable conthept ..." |
