neoraver

Member
Jul 31, 2002
5
0
151
i scanned my new cpanel system w/ chkrootkit and it said &bindshell INFECTED port 465&

Now ive done some research and it said portsentry usually will trigger this. Well i havent setup port sentry. I checked /etc/passwd and nothing abnormal.

So does cpanel use this port for anything?

Thanks
 

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
If you definitely do not have Portsentry or any other firewall, then you should be concerned.
 

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316
I put a few extra, known hacker ports in my /etc/portsentry/portsentry.conf file and ./chkrootkit then shows them as infected on the bindshell. Just to be sure, I deleted a couple of those ports in the /etc/portsentry/portsentry.conf file and restarted portsentry. I then ran chkrootkit again and it said those ports were NOT infected. Thus, it is true, Portsentry does trigger those warnings for bindshell.
 

myros

Active Member
Dec 16, 2001
42
0
306
Anybody willing to post or email their conf for portsentry. Just wondering what other 'hacker' ports I should be blocking and in which section of the conf they should go.

Thanks :)

[email protected]

Myros
 

MikeF12

Member
Dec 29, 2002
12
0
151
I know this is an old topic but.......

From chkrootkit.org:

I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).



Mike