I still have this infected port report from chkrootkit every day.
"Checking `bindshell'... INFECTED (PORTS: 600)"
netstat -naptu | grep 600 shows:
udp 0 0 0.0.0.0:600 0.0.0.0:* 1696/rpc.statd
I have no idea how to tell if this is a problem or bogus or what.
Any help would be appreciated.
- Bill
At 09:19 PM 16/12/2005, you wrote:
>I like to use:
>
>netstat -naptu
>
>This will point to the application using that port.
>
>Brian
>----- Original Message -----
>From: <mailto:billy (at mark) pdcweb.net>William J.A. Brillinger
>To: <mailto:coba-e (at mark) bluequartz.org>coba-e (at mark) bluequartz.org
>Sent: Friday, December 16, 2005 7:37 PM
>Subject: [coba-e:03685] ChkRootkit INFECTED (PORTS: 600)
>
>Hi All,
>
>I have gotten this from Chkrootkit several times today on my centos4+bq box.
>
>Checking `bindshell'... INFECTED (PORTS: 600)
>
>What do I need to look for to confirm if I am infected?
>
>This looks right:
>
>lsof -i:600
>COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>rpc.statd 1696 rpcuser 5u IPv4 4442 UDP *:600
>
>netstat -an | grep :6
>tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
>udp 0 0 0.0.0.0:600 0.0.0.0:*
>udp 0 0 0.0.0.0:631 0.0.0.0:*
>
>
>- Bill
>
>
>---------------------------------
>William J.A. Brillinger
>Precision Design Co.
>
>E-Mail: mailto:billy (at mark) pdcweb.net
>Web site: http://www.pdcweb.net
---------------------------------
William J.A. Brillinger
Precision Design Co.
E-Mail: mailto:billy (at mark) pdcweb.net
Web site: http://www.pdcweb.net
4009_2.html (attatchment)