FAQ
I have just run chkrootkit on my server and have the following two
suspicious entries..

Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

and further down..

Checking `bindshell'... INFECTED (PORTS: 465)

Anyone have any advice for getting rid of it??

Later..

Search Discussions

  • Ralph Angenendt at Jan 11, 2005 at 10:58 am

    WipeOut wrote:
    I have just run chkrootkit on my server and have the following two
    suspicious entries..

    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
    There should be only a list of perl packages in that file. You can check
    it very easily.
    and further down..

    Checking `bindshell'... INFECTED (PORTS: 465)

    Anyone have any advice for getting rid of it??
    Find out which program listens on that port - and if you need it. 465
    is smtps (SMTP over SSL).

    You can do so with netstat, lsof or fuser.

    chkrootkit can only give you hints - you have to look for yourself, if
    it is assuming correctly or fooling you.

    Ralph
    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 189 bytes
    Desc: not available
    Url : http://lists.centos.org/pipermail/centos/attachments/20050111/809e6b8e/attachment.bin
  • WipeOut at Jan 11, 2005 at 11:00 am

    Ralph Angenendt wrote:
    WipeOut wrote:

    I have just run chkrootkit on my server and have the following two
    suspicious entries..

    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
    There should be only a list of perl packages in that file. You can check
    it very easily.


    and further down..

    Checking `bindshell'... INFECTED (PORTS: 465)

    Anyone have any advice for getting rid of it??
    Find out which program listens on that port - and if you need it. 465
    is smtps (SMTP over SSL).

    You can do so with netstat, lsof or fuser.

    chkrootkit can only give you hints - you have to look for yourself, if
    it is assuming correctly or fooling you.

    Ralph
    Thanks Ralph..

    I am looking into it now..
  • Beau Henderson at Jan 11, 2005 at 1:52 pm
    chkrootkit gives out false possitives all the time. Its not always
    accurate but a good tool to keep in the tool box none the less. Have
    you tried rkhunter ? ( http://www.rkhunter.org ). Perhaps maybe even
    install tripwire or AIDE or sanhain (
    http://la-samhna.de/samhain/index.html ) may be in order ?

    --
    Beau Henderson
    http://www.iminteractive.net


    On Tue, 11 Jan 2005 11:00:31 +0000, WipeOut
    wrote:
    Ralph Angenendt wrote:
    WipeOut wrote:

    I have just run chkrootkit on my server and have the following two
    suspicious entries..

    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
    There should be only a list of perl packages in that file. You can check
    it very easily.


    and further down..

    Checking `bindshell'... INFECTED (PORTS: 465)

    Anyone have any advice for getting rid of it??
    Find out which program listens on that port - and if you need it. 465
    is smtps (SMTP over SSL).

    You can do so with netstat, lsof or fuser.

    chkrootkit can only give you hints - you have to look for yourself, if
    it is assuming correctly or fooling you.

    Ralph
    Thanks Ralph..

    I am looking into it now..


    _______________________________________________
    CentOS mailing list
    CentOS@caosity.org
    http://lists.caosity.org/mailman/listinfo/centos
  • WipeOut at Jan 11, 2005 at 2:18 pm

    Beau Henderson wrote:
    chkrootkit gives out false possitives all the time. Its not always
    accurate but a good tool to keep in the tool box none the less. Have
    you tried rkhunter ? ( http://www.rkhunter.org ). Perhaps maybe even
    install tripwire or AIDE or sanhain (
    http://la-samhna.de/samhain/index.html ) may be in order ?

    Will check those out..

    Thanks..
  • Ho Chaw Ming at Jan 11, 2005 at 1:56 pm
    Are you running PortSentry? If you are, that may give you a false positive
    on Port 465.

    -----Original Message-----
    From: centos-bounces@caosity.org On
    Behalf Of WipeOut
    Sent: 11 January 2005 18:19
    To: CentOS discussion and information list
    Subject: [Centos] Think someone has got into my server...

    I have just run chkrootkit on my server and have the following two
    suspicious entries..

    Searching for suspicious files and dirs, it may take a while...
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

    and further down..

    Checking `bindshell'... INFECTED (PORTS: 465)

    Anyone have any advice for getting rid of it??

    Later..


    _______________________________________________
    CentOS mailing list
    CentOS@caosity.org
    http://lists.caosity.org/mailman/listinfo/centos

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedJan 11, '05 at 10:19a
activeJan 11, '05 at 2:18p
posts6
users4
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase