RootKit Hunter Scan

[GaryT]

This auto runs on the server, But one thing I'm unsure of is a port warning.

Performing check for backdoor ports
Checking for TCP port 1524 [ Not found ]
Checking for TCP port 1984 [ WARNING ]
Checking for UDP port 2001 [ Not found ]
Checking for TCP port 2006 [ Not found ]
Checking for TCP port 2128 [ Not found ]
Checking for TCP port 6666 [ Not found ]
Checking for TCP port 6667 [ Not found ]
Checking for TCP port 6668 [ Not found ]
Checking for TCP port 6669 [ Not found ]
Checking for TCP port 7000 [ Not found ]
Checking for TCP port 13000 [ Not found ]
Checking for TCP port 14856 [ Not found ]
Checking for TCP port 25000 [ Not found ]
Checking for TCP port 29812 [ Not found ]
Checking for TCP port 31337 [ Not found ]
Checking for TCP port 33369 [ Not found ]
Checking for TCP port 47107 [ Not found ]
Checking for TCP port 47018 [ Not found ]
Checking for TCP port 60922 [ Not found ]
Checking for TCP port 62883 [ Not found ]
Checking for TCP port 65535 [ Not found ]


Now I ran:

netstat -lnptu

But it shows nothing, Also ran: chkrootkit , This reported fine also, Newest Clam and thats fine to.

I read this port and only one thing I can see on google results is Big Brother... Whats that ?

[GaryT]

I see its part of the castcontrol system what I have installed.

[mtindor]

In addition to Netstat, using lsof can help you identify what is listening on a particular port (the app, the owner, etc)

lsof -nP|grep TCP

-P disables conversion of ports to names (based upon /etc/services)
-n disables conversion of IP to hostname

Using those lsof options will make TCP port numbers show up in the lsof listing and will _not_ resolve IP addresses to hostnames. It not only makes lsof display results faster, but it makes you able to easily tell what is listening on a particular TCP port.

Mike

[GaryT]

Thanks mike, So for an example, If I wanted to stop that service on that port what do you suggest to do.

Thanks in advance and for your time taken.

[mtindor]

Gary,

I'd issue a "kill <pid>" where <pid> is the second value in the lsof output. As an example...

cpsrvd-ss 20795 root 3u IPv4 81400 TCP *:2082 (LISTEN)

kill 20795

Of course, if it is a legitimate service with its own start/stop scripts, I'd use those scripts to stop the service gracefully. If it's something you suspect is a malicious process, kill it directly.

Mike

[GaryT]

We use Cast-Control for streaming, Now the file whats using that port is ioncube loaded sc_trans so I cannot understand due to the coded content.

As I test I backed up the file, Downloaded from the authors website and replaced it, Yet I get the same results so I assume its legitimate.

[mtindor]

We use Cast-Control for streaming, Now the file whats using that port is ioncube loaded sc_trans so I cannot understand due to the coded content.

As I test I backed up the file, Downloaded from the authors website and replaced it, Yet I get the same results so I assume its legitimate.

Sounds like it is legit. As long as you are comfortable with the integrity of the author, I imagine the script is fine too. It's likely encoded to prevent its use/abuse by those people who don't pay for it.

If you dont like the rootkit scan barking about that oddball port, there is probably someway to exempt that port from the rootkit test. The rootkit tester probably only sees it as a rootkit because of the port it is on, not because of what the actual app is doing.

Mike