Article 13154 at 08/06/04 21:59:14 From: dan (at mark) dogsbody.org Subject: [coba-e:13154] Re: SMTPS triggering chkrootkit infected port

Index: [Article Count Order] [Thread]

Date:  Wed, 04 Jun 2008 13:59:08 +0100
From:  Dogsbody <dan (at mark) dogsbody.org>
Subject:  [coba-e:13154] Re: SMTPS triggering chkrootkit infected port
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4846919C.5090508 (at mark) dogsbody.org>
In-Reply-To:  <DB3B5127-01B5-4DE6-B4D4-37551DE9ED66 (at mark) rainstormconsulting.com>
References:  <DB3B5127-01B5-4DE6-B4D4-37551DE9ED66 (at mark) rainstormconsulting.com>
X-Mail-Count: 13154


> I've searched around the net abit on this matter without much help. 
>  Anybody know why BQ's secure SMTP triggers chkrootkit's "INFECTED 
> (PORTS:  465)" when obviously it's a legit SMTPS service.  Is there a 
> way to not have this happen and continue using SMTPS?  Thanks!

I fix this by running the following script to call chkrootkit each day....


#!/bin/sh
SERVER=`hostname`
cd /usr/local/chkrootkit-0.47
rm current.output
./chkrootkit -q > current.output 2>&1
DIFF=`/usr/bin/diff current.output good.output`
ERRO=`/bin/cat current.output`
if [ "$DIFF" != "" ]
then
/usr/lib/sendmail -t << EOF
To: root
Subject: ${SERVER}: Chkrootkit Output

====> A diff between current and good output is:

$DIFF

====> The current output is:

$ERRO

EOF
fi