Just installed chkrootkit on our (relatively) new Debian Squeeze server and run it. Wasn't expecting anything sind rkhunter reported everything was fine. But it did indeed report something:
# chkrootkit
...
Checking `bindshell'... INFECTED (PORTS: 465)
...
So checking what's running on port 465:
# netstat -pan | grep ":465 "
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8325/master
tcp6 0 0 :::465 :::* LISTEN 8325/master
Since I wasn't too sure what this master was:
# ps -F -p 8325
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 8325 1 0 9292 2404 6 Apr14 ? 00:00:17 /usr/lib/postfix/master
There it is, it's nothing to worry about, just postfix...
So if a mailserver is running tls on port 465, chkrootkit wrongfully identifies bindshell.
If you stop postfix and rerun chkrootkit, nothing is reported:
# service postfix stop
Stopping Postfix Mail Transport Agent: postfix.
# chkrootkit | grep INFECTED
# service postfix start
Starting Postfix Mail Transport Agent: postfix.
# chkrootkit
...
Checking `bindshell'... INFECTED (PORTS: 465)
...
So checking what's running on port 465:
# netstat -pan | grep ":465 "
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8325/master
tcp6 0 0 :::465 :::* LISTEN 8325/master
Since I wasn't too sure what this master was:
# ps -F -p 8325
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 8325 1 0 9292 2404 6 Apr14 ? 00:00:17 /usr/lib/postfix/master
There it is, it's nothing to worry about, just postfix...
So if a mailserver is running tls on port 465, chkrootkit wrongfully identifies bindshell.
If you stop postfix and rerun chkrootkit, nothing is reported:
# service postfix stop
Stopping Postfix Mail Transport Agent: postfix.
# chkrootkit | grep INFECTED
# service postfix start
Starting Postfix Mail Transport Agent: postfix.
No comments:
Post a Comment