[Centos] Think someone has got into my server...

Tue Jan 11 10:58:11 UTC 2005
Ralph Angenendt <ra+centos at br-online.de>

WipeOut wrote:
> I have just run chkrootkit on my server and have the following two 
> suspicious entries..
> 
> Searching for suspicious files and dirs, it may take a while...
> /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist

There should be only a list of perl packages in that file. You can check
it very easily.

> and further down..
> 
> Checking `bindshell'... INFECTED (PORTS:  465)
> 
> Anyone have any advice for getting rid of it??

Find out which program listens on that port - and if you need it. 465
is smtps (SMTP over SSL).

You can do so with netstat, lsof or fuser.

chkrootkit can only give you hints - you have to look for yourself, if
it is assuming correctly or fooling you.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20050111/809e6b8e/attachment-0005.sig>