On Tuesday 24 February 2004 07:53, Greg wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337)
Try a nmap port scan from the outside to your ip address. If those ports are open but netstat doesn't show them as LISTENING chances are your netstat is modified to hide the connections. You may also want to run chkrootkit when booted from single user mode. Regards, Ricardo. > > I am not sure how no interpret this. I have checked logs, as well as > binary checks and everything "seems" fine. Can someone help me interpret > the logs. I will attach them at the tail of the email in case the may be > helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. > > Thanks in advance. > > Greg MEATPLOW > > ################# > #chkrootkit > > alpha:~# chkrootkit > ROOTDIR is `/' > Checking `amd'... not found > Checking `basename'... not infected > Checking `biff'... not found > Checking `chfn'... not infected > Checking `chsh'... not infected > Checking `cron'... not infected > Checking `date'... not infected > Checking `du'... not infected > Checking `dirname'... not infected > Checking `echo'... not infected > Checking `egrep'... not infected > Checking `env'... not infected > Checking `find'... not infected > Checking `fingerd'... not found > Checking `gpm'... not found > Checking `grep'... not infected > Checking `hdparm'... not found > Checking `su'... not infected > Checking `ifconfig'... not infected > Checking `inetd'... not infected > Checking `inetdconf'... not infected > Checking `identd'... not found > Checking `killall'... not found > Checking `ldsopreload'... not infected > Checking `login'... not infected > Checking `ls'... not infected > Checking `lsof'... not found > Checking `mail'... not infected > Checking `mingetty'... not found > Checking `netstat'... not infected > Checking `named'... not infected > Checking `passwd'... not infected > Checking `pidof'... not infected > Checking `pop2'... not found > Checking `pop3'... not found > Checking `ps'... not infected > Checking `pstree'... not found > Checking `rpcinfo'... not infected > Checking `rlogind'... not found > Checking `rshd'... not found > Checking `slogin'... not infected > Checking `sendmail'... not infected > Checking `sshd'... not infected > Checking `syslogd'... not infected > Checking `tar'... not infected > Checking `tcpd'... not infected > Checking `top'... not infected > Checking `telnetd'... not found > Checking `timed'... not found > Checking `traceroute'... not infected > Checking `write'... not infected > Checking `aliens'... > /dev/st- /dev/sto > Searching for sniffer's logs, it may take a while... nothing found > Searching for HiDrootkit's default dir... nothing found > Searching for t0rn's default files and dirs... nothing found > Searching for t0rn's v8 defaults... nothing found > Searching for Lion Worm default files and dirs... nothing found > Searching for RSHA's default files and dir... nothing found > Searching for RH-Sharpe's default files... nothing found > Searching for Ambient's rootkit (ark) default files and dirs... nothing > found > Searching for suspicious files and dirs, it may take a while... nothing > found > Searching for LPD Worm files and dirs... nothing found > Searching for Ramen Worm files and dirs... nothing found > Searching for Maniac files and dirs... nothing found > Searching for RK17 files and dirs... nothing found > Searching for Ducoci rootkit... nothing found > Searching for Adore Worm... nothing found > Searching for ShitC Worm... nothing found > Searching for Omega Worm... nothing found > Searching for Sadmind/IIS Worm... nothing found > Searching for MonKit... nothing found > Searching for anomalies in shell history files... nothing found > Checking `asp'... not infected > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > Checking `lkm'... nothing detected > Checking `rexedcs'... not found > Checking `sniffer'... eth0 is not promisc > Checking `wted'... nothing deleted > Checking `z2'... > nothing deleted -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
