[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)

Subject: Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Tue, 11 Dec 2001 21:57:31 +0100
Organization: Stauber Multimedia Design
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi Brian,

> This is from the chkrootkit website:
> [snip]
> Of course the only way to know for sure it to shut off PortSentry and then
> rerun chkrootkit.  Simple enough process.

Yepp. I think you are right, IF Portsentry is running in standard mode and 
not "advanced TCP" and/or "advanced UDP" mode. That is what I usually use and 
with that I never had problems in conjunction with Chkrootkit.

In "advanced" mode Portsentry usually only binds to unused ports below 1023. 
In "standard" mode is uses a list defined in the configuration file to bind 
to a whole bunch of ports, many of them above 1023. This sure can cause false 
alarms with many tools.

> Michael, thanks for your informative post on LSOF and other hacker 
> detection techniques.

Hey, no problem. I'm always glad to be of help and am returning just the same 
favours that others gave me when I was the newcommer to linux.

-- 

With best regards,

Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer

References:
- Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
  - From: Brian Rahill
- Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
  - From: Brian Rahill

Prev by Date: Re: [cobalt-security] New Exploit?
Next by Date: [cobalt-security] Did not receive identification string
Previous by thread: Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
Next by thread: [cobalt-security] DNS advise.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index