Re: [cobalt-security] Possible scalper Worm

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Alain,

> <-- snip -->
> Chkrootkit detected the following changes on your server:
>
> --------------------------------------------------------------------
>
> +Checking `scalper'... Warning: Possible Scalper Worm installed
>
> --------------------------------------------------------------------
> <-- snip -->
>
> As far as I know, scalper worm only infects FreeBSD based systems anyway?
> Is there a need to pay particular attention to this warning?

No, Scalper could also infect the RaQs, but there have been patches a long 
time ago which fixed the vulnerability.

However, the way chkrootkit runs the Scalper tests can lead to false 
positives.

These are the tests that Chkrootkit runs to detect Scalper:

ls -la /tmp/.uua
ls -la /tmp/.a
netstat -an|egrep 0.0:2001

So the test will say "Warning: Possible Scalper Worm installed" if either one 
of the two files shown above exists in /tmp/, or it will report Scalper being 
present if something has bound to port 2001 on localhost.

The most likely cause for a false positive report is that NAMED has bound to 
port 2001/UDP. BIND binds itself to port 53, but also used a fairly random 
extra port for UDP, which sometimes can happend to be port 2001.

Please do the following:

Check if the files /tmp/.uua or /tmp/.a are present.

Then check what has bound to port 2001:

	netstat -tupan|egrep 0.0:2001

If that query reports ....

udp        0      0 0.0.0.0:2001            0.0.0.0:*                           
24191/named

.... then you know where the false positive comes from. 

To fix the issue in that case just restart named and then run chkrootkit 
again.

If netstat reports any other process bound to 2001 than "named" in the case 
above, then you should be careful and investigate further.

-- 

With best regards,

Michael Stauber