The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

chkroot output

Discussion in 'General Discussion' started by shizzle, Nov 15, 2004.

  1. shizzle

    shizzle Member

    Joined:
    Sep 26, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    i have recently installed APF and done all the security stuff...

    Now when i run chkroot i get some lines that i dont understand:

    Checking `bindshell'... INFECTED (PORTS: 465)
    Checking `sniffer'... /proc/27122/fd: No such file or directory
    /proc/28343/fd: No such file or directory
    eth0: not promisc and no PF_PACKET sockets
    eth0:1: not promisc and no PF_PACKET sockets
    eth0:2: not promisc and no PF_PACKET sockets
    eth0:3: not promisc and no PF_PACKET sockets
    eth0:4: not promisc and no PF_PACKET sockets

    is there anything wrong? :eek:

    please help

    Thanks

    Mike
     
  2. CoreOperations

    Joined:
    Sep 20, 2003
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hiyas,

    I wouldnt sweat about the "Bindshell" ... thats a false positive, I have had it on *every* single server I have ever had .... and after doing a lot of research found out it wasnt anything to really worry about, it comes from one of the Utilities that WHM/Cpanel installs.

    As for the eth issues, thats another non-issue, your server wont suddenly keel over and die because of it, so dont worry about it ... everythings fine :)
     
  3. shizzle

    shizzle Member

    Joined:
    Sep 26, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Thanks a lot! :)
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Yep, should be fine.

    The port 465 issue is actually SMTP over SSL (ssmtp) and a valid service which is coming up as a false-positive.
     
  5. Aric1

    Aric1 Well-Known Member

    Joined:
    Oct 15, 2003
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    chkrootkit is being updated more often these days and is a fine tool, if you know how to use it and interpret the results, but it is prone to a number of false positives.

    You may wish to try rootkithunter (http://rootkit.nl/) So long as you run rkhunter --update before any scan, you're a lot less likely to get false positives with rkhunter than chkrootkit. The author is also working on a new updated version based on user feedback.

    Installation is easy, just SSH into your server as root (don't SU to root, log in directly as root) and run:
    Code:
    cd; rm -Rf rkh*; wget http://downloads.rootkit.nl/rkhunter-1.1.8.tar.gz; tar zxf rkhunter-*.tar.gz; cd rkhunter; ./installer.sh; rkhunter --update; rkhunter -c --cronjob; cd ..; rm -Rf rkhunter*
    That will download and install rootkithunter v 1.1.8, update the databases to make sure they are current and runs it for the first time and displays the results on-screen, then deletes the installer files.

    You can add something like the following to your crontab if you want rkhunter to run regularly:
    Code:
    29 6 * * * /usr/local/bin/rkhunter --update > /dev/null 2>&1
    30 6 * * * /usr/local/bin/rkhunter -c --cronjob
    That would only run rkhunter 1x per day at 6:30 AM local server time, adjust as you see fit. The results will be e-mailed to root. Of course you can mail the results to another address if you prefer.

    Just keep in mind that no matter how many automated intrusion detection/prevention systems you have installed, none of them are foolproof and all require that you stay alert to changes in the normal pattern of the way your server operates.
     
Loading...

Share This Page