Date: Fri, 29 Oct 2004 09:19:59 -0400 From: "hutchens" <david.hutchens@drs-sss.com> To: <cordeiro@nic.br> Cc: ports@FreeBSD.org Subject: BindShell False Positives FBSD-4.10.p3 Message-ID: <D3E7D4B9902BD6119C3B0002B395D1AE02A5DE5F@voodoo.drs-sss.com>
next in thread | raw e-mail | index | archive | help
Good Morning; Running Chkrootkit 0.44 - FreeBSD 4.10-p3 Perl-5.8.4 Dual p3-650 512MB ECC RAM Chkrootkit reporting Bindshell Infection on port 145. netstat -an indicates no connections using that port but is showing the value 145 in the Recv-Q Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.10082 *.* LISTEN udp4 0 0 127.0.0.1.4611 127.0.0.1.123 udp4 145 0 *.1368 *.* udp4 0 0 127.0.0.1.53 *.* I've obs this twice so far for the 145 value. I've also had Bindshell reports on port 114 and believe those to have been inaccurate as well (unable to detect any problems with other tools automatically launched upon the chkrootkit report - rkhunter/lsof and manual/scheduled scans with Kaspersky & Clam AV). At the time I was getting reports ref port 114 I had not looked at the Chkrootkit Code & therefore did not set a trigger to run netstat -an upon a Chkrootkit alert as I have with port 145. If there is any other info I can provide please let me know, thanks for your hard work. Sincerely; David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. (727) 541-6681 ext.3313 david.hutchens@drs-sss.com <mailto:david.hutchens@drs-sss.com>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D3E7D4B9902BD6119C3B0002B395D1AE02A5DE5F>