[CentOS] Security advice, please
John Doe
jdmls at yahoo.com
Fri Dec 18 13:54:43 UTC 2009
From: Anne Wilson <cannewilson at googlemail.com>
> I run chkrootkit daily. For the first time I've got reports of a problem -
>
> Checking `bindshell'... INFECTED (PORTS: 1008)
>
> The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected-
> ports-1008/ suggests that this might be a false positive, so I ran 'netstat -
> tanup' but unlike the report, it wasn't famd on the port. It was
>
> tcp 0 0 0.0.0.0:1008 0.0.0.0:*
> LISTEN 3797/rpc.mountd
>
> It looks as though certain services are marked as suspicious when they grab
> port 1008. I tried to find how to restart the service, but without success,
> but a reboot put rpc.mountd onto another port, and chkrootkit no longer
> reports a problem. (I had rebooted last evening after an update including a
> kernel version.)
>
> I think that it really was a false alarm, but I would really like to know how
> I could restart that service without rebooting. system-config-services didn't
> do the trick, and I simply didn't know what else to try. In case I meet this
> again, can you please advise me?
# grep -l "rpc.mountd" /etc/init.d/*
/etc/init.d/nfs
# man rpc.mountd | grep -C 1 bind
-p or --port num
Force rpc.mountd to bind to the specified port num, instead of
using the random port number assigned by the portmapper.
random port... 1008 seems to be associated with a trojan (lion)...
JD
More information about the CentOS
mailing list