[CentOS] Security advice, please

Fri Dec 18 13:03:28 UTC 2009
Rob Kampen <rkampen at kampensonline.com>

Anne Wilson wrote:
> I run chkrootkit daily.  For the first time I've got reports of a problem -
>
> Checking `bindshell'... INFECTED (PORTS:  1008)
>
> The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected-
> ports-1008/ suggests that this might be a false positive, so I ran 'netstat -
> tanup' but unlike the report, it wasn't famd on the port.  It was
>
> tcp        0      0 0.0.0.0:1008                0.0.0.0:*                   
> LISTEN      3797/rpc.mountd 
>
> It looks as though certain services are marked as suspicious when they grab 
> port 1008.  I tried to find how to restart the service, but without success, 
> but a reboot put rpc.mountd onto another port, and chkrootkit no longer 
> reports a problem.  (I had rebooted last evening after an update including a 
> kernel version.)
>
> I think that it really was a false alarm, but I would really like to know how 
> I could restart that service without rebooting.  system-config-services didn't 
> do the trick, and I simply didn't know what else to try.  In case I meet this 
> again, can you please advise me?
>
> Anne
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   
Anne, I believe an nfs restart should do it - you may consider setting 
rpc to a specific port in /etc/sysconfig/nfs - plenty of comments in the 
file to help - this is also useful if you firewall and need to use nfs.
HTH
Rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: rkampen.vcf
Type: text/x-vcard
Size: 207 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/7b2e3706/attachment-0005.vcf>