I have just run chkrootkit on my server and have the following two suspicious entries..
Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
and further down..
Checking `bindshell'... INFECTED (PORTS: 465)
Anyone have any advice for getting rid of it??
Later..
WipeOut wrote:
I have just run chkrootkit on my server and have the following two suspicious entries..
Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
There should be only a list of perl packages in that file. You can check it very easily.
and further down..
Checking `bindshell'... INFECTED (PORTS: 465)
Anyone have any advice for getting rid of it??
Find out which program listens on that port - and if you need it. 465 is smtps (SMTP over SSL).
You can do so with netstat, lsof or fuser.
chkrootkit can only give you hints - you have to look for yourself, if it is assuming correctly or fooling you.
Ralph
Ralph Angenendt wrote:
WipeOut wrote:
I have just run chkrootkit on my server and have the following two suspicious entries..
Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
There should be only a list of perl packages in that file. You can check it very easily.
and further down..
Checking `bindshell'... INFECTED (PORTS: 465)
Anyone have any advice for getting rid of it??
Find out which program listens on that port - and if you need it. 465 is smtps (SMTP over SSL).
You can do so with netstat, lsof or fuser.
chkrootkit can only give you hints - you have to look for yourself, if it is assuming correctly or fooling you.
Ralph
Thanks Ralph..
I am looking into it now..
chkrootkit gives out false possitives all the time. Its not always accurate but a good tool to keep in the tool box none the less. Have you tried rkhunter ? ( http://www.rkhunter.org ). Perhaps maybe even install tripwire or AIDE or sanhain ( http://la-samhna.de/samhain/index.html ) may be in order ?
Beau Henderson wrote:
chkrootkit gives out false possitives all the time. Its not always accurate but a good tool to keep in the tool box none the less. Have you tried rkhunter ? ( http://www.rkhunter.org ). Perhaps maybe even install tripwire or AIDE or sanhain ( http://la-samhna.de/samhain/index.html ) may be in order ?
Will check those out..
Thanks..
Are you running PortSentry? If you are, that may give you a false positive on Port 465.
-----Original Message----- From: centos-bounces@caosity.org [mailto:centos-bounces@caosity.org] On Behalf Of WipeOut Sent: 11 January 2005 18:19 To: CentOS discussion and information list Subject: [Centos] Think someone has got into my server...
I have just run chkrootkit on my server and have the following two suspicious entries..
Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
and further down..
Checking `bindshell'... INFECTED (PORTS: 465)
Anyone have any advice for getting rid of it??
Later..
_______________________________________________ CentOS mailing list CentOS@caosity.org http://lists.caosity.org/mailman/listinfo/centos
-
Beau Henderson -
Ho Chaw Ming -
Ralph Angenendt -
WipeOut