--On May 18, 2006 9:17:09 AM -0400 Morgan Walker <[EMAIL PROTECTED]> wrote:
Hey guys, Just new to this mailing list, hope you guys can help me out. I was testing out the chkrootkit package on one of my debian boxes. After running ‘chkrootkit –q’ I received the following output:
Use lsof and ps to find out who's running that proc and where from. If root isn't running it then someone has a hacked binary that's trying to hide, if root is, and lsof indicates it's not /sbin/rpc.statd then you're owned. It's kind of unusual for statd to show up on such a low port but not totally unheard of.
INFECTED (PORTS: 600) I looked further into and narrowed down to this. ‘netstat -naptu | grep 600’ gave me the following ouput: udp 0 0 0.0.0.0:600 0.0.0.0:* 2120/rpc.statd I have searched around on other mailing lists and forums, but could never really get a definitive answer. Is this a common message for chkrootkit, should I be worried? Any help would be great, thanks in advance. ~Morgan Morgan Walker Systems Administrator/Engineer M•CAM, Inc. Omni Business Center 210 Ridge-McIntire Rd., Suite 300 Charlottesville, VA 22903 434.979.7240 x311 http://www.m-cam.com ========================================================= This message, including any attachments, is intended solely for the use of the named recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution of this communication(s) is expressly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy any and all copies of the original message. Thank you. =========================================================
-- Michael Loftis Modwest Operations Manager Powerful, Affordable Web Hosting
