[CentOS] Security advice, please

Fri Dec 18 13:54:43 UTC 2009
John Doe <jdmls at yahoo.com>

From: Anne Wilson <cannewilson at googlemail.com>
> I run chkrootkit daily.  For the first time I've got reports of a problem -
> 
> Checking `bindshell'... INFECTED (PORTS:  1008)
> 
> The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected-
> ports-1008/ suggests that this might be a false positive, so I ran 'netstat -
> tanup' but unlike the report, it wasn't famd on the port.  It was
> 
> tcp        0      0 0.0.0.0:1008                0.0.0.0:*                  
> LISTEN      3797/rpc.mountd 
> 
> It looks as though certain services are marked as suspicious when they grab 
> port 1008.  I tried to find how to restart the service, but without success, 
> but a reboot put rpc.mountd onto another port, and chkrootkit no longer 
> reports a problem.  (I had rebooted last evening after an update including a 
> kernel version.)
> 
> I think that it really was a false alarm, but I would really like to know how 
> I could restart that service without rebooting.  system-config-services didn't 
> do the trick, and I simply didn't know what else to try.  In case I meet this 
> again, can you please advise me?

# grep -l "rpc.mountd" /etc/init.d/*
/etc/init.d/nfs

# man rpc.mountd | grep -C 1 bind
       -p  or  --port num
              Force rpc.mountd to bind to the specified port num,  instead  of
              using the random port number assigned by the portmapper.

random port... 1008 seems to be associated with a trojan (lion)...

JD