I had rebuilt the sendmail.cf file adding the greet_pause suggestions that I
found in reading the old mailing list stuff...
I diffed the .cf files this AM and found that the new one had these lines
that were commented out in the old version:
O DaemonPortOptions=Port=submission, Name=MSA, M=Ea
O DaemonPortOptions=Port=smtps, Name=TLSMTA, M=s
I commented them back out and no more bindshell INFECTED warnings.
I didn't consider the changes to the .cf file prior to seeing the chkroot
results.
Thanks everyone for all your advise. New box and a new learning curve. :-)
--Will
> -----Original Message-----
> From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> Sent: Saturday, December 30, 2006 11:36 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08425] Re: System hacked?!?!?
>
> > I've considered doing that... BUT... the current netstat
> > indicates the
> > ports are in use by sendmail & PortSentry. When I shutdown
> > portsentry &
> > sendmail and then run chkrootkit again (have now upgraded to
> > V0.47) it shows
> > no bindshell issues.
> >
> > I also installed rkhunter-1.2.8 yesterday and, while it
> > doesn't recognize my
> > OS (and didn't run MD5 checks)... it finds no evidence of any
> > rootkits.
> >
> > --Will
>
>
> Seems to be FP from older version of chkrootkit.
>
>
> Best,
>
> --
> Arthur Sherman
>
> +972-52-4878851
> CPTeam