On Sun, 7 Jul 2024 at 00:21, Vincent Lefevre <vinc...@vinc17.net> wrote:
>
> On 2024-07-07 00:50:05 +0200, Vincent Lefevre wrote:
> > I got the following warning:
> >
> > -Checking `bindshell'... not found
> > +Checking `bindshell'... WARNING
> > +
> > +WARNING: Potential bindshell installed: infected ports: 60001
> > +
> >
> > According to lsof, this is actually mosh-server (from the mosh Debian
> > package).
>
> chkrootkit does:
>
> bindshell () {
> PORT="114 145 465 511 600 1008 1524 1999 1978 2881 3049 3133 3879 4000 4369
> 5190 5665 6667 10008 12321 23132 27374 29364 30999 31336 31337 37998 45454
> 47017 47889 60001 7222"
> OPT="-an"
> [...]
> for P in $PORT; do
> if ${netstat} "${OPT}" | ${egrep} -q
> "^(tcp.*LIST|udp).*[.:]${P}[^0-9.:]" >/dev/null 2>&1
> then
> PI="${PI} ${P}"
> fi
> done
> [...]
>
> I suggest to also use the --program option for netstat,
Despite the name, it prefers to use ss(1) not netstat(1), and i dont
think ss has such an option?
However:
- Maybe we could call lsof on the results to at least say what is
listening, (what command did you use?)
- we could make PORTS configurable - does mosh always use 6001 or is
it more random?
- we could document this in README.FALSE-POSITIVES (although it
already says something about this, but can
mention mosh as an example)
