31337 - are your runing portsentry on that machine ? Quote from the www.chkrootkit.org site: I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
----- Original Message ----- From: "Greg" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Tuesday, February 24, 2004 8:53 AM Subject: chkrootkit - possible bad news` > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > ################# > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
