Date: Wed, 21 Nov 2007 12:44:21 +0200 From: Peter Pentchev <roam@ringlet.net> To: Nikolay Pavlov <qpadla@gmail.com> Cc: freebsd-security@freebsd.org, JP <johnpollock@bellsouth.net> Subject: Re: chkrootkit V. 0.47 Message-ID: <20071121104421.GA1147@straylight.m.ringlet.net> In-Reply-To: <200711201901.28546.qpadla@gmail.com> References: <200711200941.52719.johnpollock@bellsouth.net> <200711201901.28546.qpadla@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--+QahgC5+KEYLbs62 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote: > On Tuesday 20 November 2007 16:41:52 JP wrote: > > Running freeBSD 6.1 > > > > After changing chkrootkit to the latest version V. 0.47 and compiling it > > then running it I get the following: [snip] > > Checking `bindshell'... INFECTED (PORTS: 6667) [snip] > > > > I do run an IRCd... >=20 > Such tools is known to trigger false positives sometimes. I'd recommend t= o=20 > play with some additional utilities like lsof. In case of bindshell try t= o=20 > find processes that was executed from world writable directories such=20 > as /tmp. Try to shutdown httpd and other daemons and see if any of them= =20 > still running.=20 The bindshell is most probably a false positive - chkrootkit just checks if anything is listening on "unusual" ports. Since 6667 is one of the most often used well-known ports for IRC communication, this is most probably a false positive. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 You have, of course, just begun reading the sentence that you have just fin= ished reading. --+QahgC5+KEYLbs62 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHRAwF7Ri2jRYZRVMRAojrAJ9TqCwFI8sPVoUTcceKuYdU5F1pKwCfShHl GFwdVNGsNiwtxra7dePjdeM= =MkAs -----END PGP SIGNATURE----- --+QahgC5+KEYLbs62--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071121104421.GA1147>