chkrootkit gives out false possitives all the time. Its not always
accurate but a good tool to keep in the tool box none the less. Have
you tried rkhunter ? ( http://www.rkhunter.org ). Perhaps maybe even
install tripwire or AIDE or sanhain (
http://la-samhna.de/samhain/index.html ) may be in order ?
--
Beau Henderson
http://www.iminteractive.net
On Tue, 11 Jan 2005 11:00:31 +0000, WipeOut
wipe_out@users.sourceforge.net wrote:
> Ralph Angenendt wrote:
>
> >WipeOut wrote:
> >
> >
> >>I have just run chkrootkit on my server and have the following two
> >>suspicious entries..
> >>
> >>Searching for suspicious files and dirs, it may take a while...
> >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
> >>
> >>
> >
> >There should be only a list of perl packages in that file. You can check
> >it very easily.
> >
> >
> >
> >>and further down..
> >>
> >>Checking `bindshell'... INFECTED (PORTS: 465)
> >>
> >>Anyone have any advice for getting rid of it??
> >>
> >>
> >
> >Find out which program listens on that port - and if you need it. 465
> >is smtps (SMTP over SSL).
> >
> >You can do so with netstat, lsof or fuser.
> >
> >chkrootkit can only give you hints - you have to look for yourself, if
> >it is assuming correctly or fooling you.
> >
> >Ralph
> >
> >
> Thanks Ralph..
>
> I am looking into it now..
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@caosity.org
>
http://lists.caosity.org/mailman/listinfo/centos
>