The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RootKit Hunter Scan

Discussion in 'Security' started by GaryT, Dec 10, 2010.

  1. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    This auto runs on the server, But one thing I'm unsure of is a port warning.

    Performing check for backdoor ports
    Checking for TCP port 1524 [ Not found ]
    Checking for TCP port 1984 [ WARNING ]
    Checking for UDP port 2001 [ Not found ]
    Checking for TCP port 2006 [ Not found ]
    Checking for TCP port 2128 [ Not found ]
    Checking for TCP port 6666 [ Not found ]
    Checking for TCP port 6667 [ Not found ]
    Checking for TCP port 6668 [ Not found ]
    Checking for TCP port 6669 [ Not found ]
    Checking for TCP port 7000 [ Not found ]
    Checking for TCP port 13000 [ Not found ]
    Checking for TCP port 14856 [ Not found ]
    Checking for TCP port 25000 [ Not found ]
    Checking for TCP port 29812 [ Not found ]
    Checking for TCP port 31337 [ Not found ]
    Checking for TCP port 33369 [ Not found ]
    Checking for TCP port 47107 [ Not found ]
    Checking for TCP port 47018 [ Not found ]
    Checking for TCP port 60922 [ Not found ]
    Checking for TCP port 62883 [ Not found ]
    Checking for TCP port 65535 [ Not found ]


    Now I ran:

    But it shows nothing, Also ran: chkrootkit , This reported fine also, Newest Clam and thats fine to.

    I read this port and only one thing I can see on google results is Big Brother... Whats that ?
     
    #1 GaryT, Dec 10, 2010
    Last edited: Dec 10, 2010
  2. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    I see its part of the castcontrol system what I have installed.
     
  3. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    In addition to Netstat, using lsof can help you identify what is listening on a particular port (the app, the owner, etc)

    lsof -nP|grep TCP

    -P disables conversion of ports to names (based upon /etc/services)
    -n disables conversion of IP to hostname

    Using those lsof options will make TCP port numbers show up in the lsof listing and will _not_ resolve IP addresses to hostnames. It not only makes lsof display results faster, but it makes you able to easily tell what is listening on a particular TCP port.

    Mike
     
  4. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    Thanks mike, So for an example, If I wanted to stop that service on that port what do you suggest to do.

    Thanks in advance and for your time taken.
     
  5. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Gary,

    I'd issue a "kill <pid>" where <pid> is the second value in the lsof output. As an example...

    cpsrvd-ss 20795 root 3u IPv4 81400 TCP *:2082 (LISTEN)

    kill 20795

    Of course, if it is a legitimate service with its own start/stop scripts, I'd use those scripts to stop the service gracefully. If it's something you suspect is a malicious process, kill it directly.

    Mike
     
  6. GaryT

    GaryT Well-Known Member

    Joined:
    May 19, 2010
    Messages:
    321
    Likes Received:
    3
    Trophy Points:
    16
    We use Cast-Control for streaming, Now the file whats using that port is ioncube loaded sc_trans so I cannot understand due to the coded content.

    As I test I backed up the file, Downloaded from the authors website and replaced it, Yet I get the same results so I assume its legitimate.
     
  7. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,279
    Likes Received:
    36
    Trophy Points:
    48
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Sounds like it is legit. As long as you are comfortable with the integrity of the author, I imagine the script is fine too. It's likely encoded to prevent its use/abuse by those people who don't pay for it.

    If you dont like the rootkit scan barking about that oddball port, there is probably someway to exempt that port from the rootkit test. The rootkit tester probably only sees it as a rootkit because of the port it is on, not because of what the actual app is doing.

    Mike
     
Loading...

Share This Page