[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- Subject: Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- From: Brian Rahill <cobalt@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 10 Dec 2001 22:02:19 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
At 11:01 PM 12/10/01 +0100, you wrote:
Hi Brian,
> Port 31337 is likely just a false positive from Portsentry
I'm not so sure. When Chkrootkit says "bindshell", then this
info is pretty
accurate. Chkrootkit never complains about Portsentry.
This is from the chkrootkit website:
___________________
"I'm running PortSentry/klaxon.
What's wrong with the bindshell test?
If you're running
PortSentry/klaxon or another program
that binds itself to unused ports probably chkrootkit will give you a
false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp,
1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp,
23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp,
47017/tcp, 47889/tcp, 60001/tcp)."
__________________
Of course the only way to know for sure it to shut off PortSentry and
then rerun chkrootkit. Simple enough process. I would think this
would be a good first test before going hacker hunting.
Good luck. I hope for your sake it turn out to be only
Portsentry.
BTW, Michael, thanks for your informative post on LSOF and other hacker
detection techniques. I printed that one out, highlighted it and
put it in my Server Admin binder. Thanks!
Brian