chkrootkit output
i scanned my new cpanel system w/ chkrootkit and it said &bindshell INFECTED port 465&
Now ive done some research and it said portsentry usually will trigger this. Well i havent setup port sentry. I checked /etc/passwd and nothing abnormal.
So does cpanel use this port for anything?
Thanks
If you definitely do not have Portsentry or any other firewall, then you should be concerned.
I put a few extra, known hacker ports in my /etc/portsentry/portsentry.conf file and ./chkrootkit then shows them as infected on the bindshell. Just to be sure, I deleted a couple of those ports in the /etc/portsentry/portsentry.conf file and restarted portsentry. I then ran chkrootkit again and it said those ports were NOT infected. Thus, it is true, Portsentry does trigger those warnings for bindshell.
Anybody willing to post or email their conf for portsentry. Just wondering what other 'hacker' ports I should be blocking and in which section of the conf they should go.
Thanks
myros@neuralhq.com
Myros
http://www.neuralhq.com
I know this is an old topic but.......
From chkrootkit.org:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).
Mike
LinkBack URL
About LinkBacks
Reply With Quote