Hello, As of this morning two of my machines - which are regularly contacted trough ssh from each other - showed this message upon 'chkrootkit': > Checking 'bindshell'... INFECTED [PORTS: 1524 31337] > Checking 'lkm'... You have 4 processes hidden for ps command The latter happened to me before and I had gotten info on how this check doesn't work from this newsgroup ... but the former never showed up before.
'nmap' to those ports gives me: > PORT STATE SERVICE > 1524/tcp filtered ingreslock > 31337/tcp filtered Elite Checksecurity reports this: > Security Violations for su > =-=-=-=-=-=-=-=-=-=-=-=-=- > Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody 'tiger' also reports - while performing signature check of system binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write and /usr/bin/inetd don not match. This can not be confirmed by aide (cd-burned database, unsafe binary) or debsums (unsafe binary). Am I hacked? What else can I do to investigate the situation further? Thanks, Joh
