[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- Subject: Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 11 Dec 2001 21:57:31 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Brian,
> This is from the chkrootkit website:
> [snip]
> Of course the only way to know for sure it to shut off PortSentry and then
> rerun chkrootkit. Simple enough process.
Yepp. I think you are right, IF Portsentry is running in standard mode and
not "advanced TCP" and/or "advanced UDP" mode. That is what I usually use and
with that I never had problems in conjunction with Chkrootkit.
In "advanced" mode Portsentry usually only binds to unused ports below 1023.
In "standard" mode is uses a list defined in the configuration file to bind
to a whole bunch of ports, many of them above 1023. This sure can cause false
alarms with many tools.
> Michael, thanks for your informative post on LSOF and other hacker
> detection techniques.
Hey, no problem. I'm always glad to be of help and am returning just the same
favours that others gave me when I was the newcommer to linux.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer