chkrootkit output

[neoraver]

i scanned my new cpanel system w/ chkrootkit and it said &bindshell INFECTED port 465&

Now ive done some research and it said portsentry usually will trigger this. Well i havent setup port sentry. I checked /etc/passwd and nothing abnormal.

So does cpanel use this port for anything?

Thanks

[bmcpanel]

If you definitely do not have Portsentry or any other firewall, then you should be concerned.

[bmcpanel]

I put a few extra, known hacker ports in my /etc/portsentry/portsentry.conf file and ./chkrootkit then shows them as infected on the bindshell. Just to be sure, I deleted a couple of those ports in the /etc/portsentry/portsentry.conf file and restarted portsentry. I then ran chkrootkit again and it said those ports were NOT infected. Thus, it is true, Portsentry does trigger those warnings for bindshell.

[myros]

Anybody willing to post or email their conf for portsentry. Just wondering what other 'hacker' ports I should be blocking and in which section of the conf they should go.

Thanks

myros@neuralhq.com

Myros

[MikeF12]

I know this is an old topic but.......

From chkrootkit.org:

I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).



Mike