[Centos] Think someone has got into my server...

Tue Jan 11 11:00:31 UTC 2005
WipeOut <wipe_out at users.sourceforge.net>

Ralph Angenendt wrote:

>WipeOut wrote:
>  
>
>>I have just run chkrootkit on my server and have the following two 
>>suspicious entries..
>>
>>Searching for suspicious files and dirs, it may take a while...
>>/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
>>    
>>
>
>There should be only a list of perl packages in that file. You can check
>it very easily.
>
>  
>
>>and further down..
>>
>>Checking `bindshell'... INFECTED (PORTS:  465)
>>
>>Anyone have any advice for getting rid of it??
>>    
>>
>
>Find out which program listens on that port - and if you need it. 465
>is smtps (SMTP over SSL).
>
>You can do so with netstat, lsof or fuser.
>
>chkrootkit can only give you hints - you have to look for yourself, if
>it is assuming correctly or fooling you.
>
>Ralph
>  
>
Thanks Ralph..

I am looking into it now..