The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

chkrootkit output

Discussion in 'General Discussion' started by neoraver, Aug 3, 2002.

  1. neoraver

    neoraver Member

    Joined:
    Jul 31, 2002
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    i scanned my new cpanel system w/ chkrootkit and it said &bindshell INFECTED port 465&

    Now ive done some research and it said portsentry usually will trigger this. Well i havent setup port sentry. I checked /etc/passwd and nothing abnormal.

    So does cpanel use this port for anything?

    Thanks
     
  2. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    If you definitely do not have Portsentry or any other firewall, then you should be concerned.
     
  3. bmcpanel

    bmcpanel Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    546
    Likes Received:
    0
    Trophy Points:
    16
    I put a few extra, known hacker ports in my /etc/portsentry/portsentry.conf file and ./chkrootkit then shows them as infected on the bindshell. Just to be sure, I deleted a couple of those ports in the /etc/portsentry/portsentry.conf file and restarted portsentry. I then ran chkrootkit again and it said those ports were NOT infected. Thus, it is true, Portsentry does trigger those warnings for bindshell.
     
  4. myros

    myros Active Member

    Joined:
    Dec 16, 2001
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Anybody willing to post or email their conf for portsentry. Just wondering what other 'hacker' ports I should be blocking and in which section of the conf they should go.

    Thanks :)

    myros@neuralhq.com

    Myros
     
  5. MikeF12

    MikeF12 Member

    Joined:
    Dec 29, 2002
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    I know this is an old topic but.......

    From chkrootkit.org:

    I'm running PortSentry/klaxon. What's wrong with the bindshell test?
    If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).



    Mike
     
Loading...

Share This Page