chkrootkit has some false positives with centos4 (rhel4), I suggest you
to install and use: rkhunter from: www.rootkit.nl and check if that
problem is true or not.
regards
epe
William J.A. Brillinger wrote:
> I still have this infected port report from chkrootkit every day.
>
> "Checking `bindshell'... INFECTED (PORTS: 600)"
>
> netstat -naptu | grep 600 shows:
> udp 0 0 0.0.0.0:600 0.0.0.0:* 1696/rpc.statd
>
> I have no idea how to tell if this is a problem or bogus or what.
> Any help would be appreciated.
>
> - Bill
>
>
> At 09:19 PM 16/12/2005, you wrote:
>
>> I like to use:
>>
>> netstat -naptu
>>
>> This will point to the application using that port.
>>
>> Brian
>> ----- Original Message -----
>> From: <mailto:billy (at mark) pdcweb.net>William J.A. Brillinger
>> To: <mailto:coba-e (at mark) bluequartz.org>coba-e (at mark) bluequartz.org
>> Sent: Friday, December 16, 2005 7:37 PM
>> Subject: [coba-e:03685] ChkRootkit INFECTED (PORTS: 600)
>>
>> Hi All,
>>
>> I have gotten this from Chkrootkit several times today on my
>> centos4+bq box.
>>
>> Checking `bindshell'... INFECTED (PORTS: 600)
>>
>> What do I need to look for to confirm if I am infected?
>>
>> This looks right:
>>
>> lsof -i:600
>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>> rpc.statd 1696 rpcuser 5u IPv4 4442 UDP *:600
>>
>> netstat -an | grep :6
>> tcp 0 0 0.0.0.0:631 0.0.0.0:*
>> LISTEN
>> udp 0 0 0.0.0.0:600 0.0.0.0:*
>> udp 0 0 0.0.0.0:631 0.0.0.0:*
>>
>>
>> - Bill
>>
>>
>> ---------------------------------
>> William J.A. Brillinger
>> Precision Design Co.
>>
>> E-Mail: mailto:billy (at mark) pdcweb.net
>> Web site: http://www.pdcweb.net
>
>
>
> ---------------------------------
> William J.A. Brillinger
> Precision Design Co.
>
> E-Mail: mailto:billy (at mark) pdcweb.net
> Web site: http://www.pdcweb.net
>
--
Ing. Ernesto PñÓez Estñ×ez
http://www.ecualinux.com
USA: + 1 404 795 0321
Ecuador: (02)3412402 - (09) 9246504