On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote: > On Tuesday 20 November 2007 16:41:52 JP wrote: > > Running freeBSD 6.1 > > > > After changing chkrootkit to the latest version V. 0.47 and compiling it > > then running it I get the following: [snip] > > Checking `bindshell'... INFECTED (PORTS: 6667) [snip] > > > > I do run an IRCd... > > Such tools is known to trigger false positives sometimes. I'd recommend to > play with some additional utilities like lsof. In case of bindshell try to > find processes that was executed from world writable directories such > as /tmp. Try to shutdown httpd and other daemons and see if any of them > still running.
The bindshell is most probably a false positive - chkrootkit just checks if anything is listening on "unusual" ports. Since 6667 is one of the most often used well-known ports for IRC communication, this is most probably a false positive. G'luck, Peter -- Peter Pentchev [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just finished reading.
pgprbyqtu5bpt.pgp
Description: PGP signature
