thveillon.debian on 04/08/08 13:48, wrote:
Adam Hardy on 03/08/08 14:13, wrote:
[...snip]
I talked to the support at the hosting company and they looked at the
system and said they couldn't see anything wrong with it - but they
can re-image it for me which normally costs a fee.
Is it worth re-imaging my system and re-installing everything?
I still have no idea what chkrootkit means when it says a port is
infected.
Adam
Hi,
Chkrootkit is known to fall for quite a few false positive, for example
if you run Portsentry or such anti-portscan demon, it also can detect
legitimate services like dhcpd or such as sniffers, which isn't really
incorrect but not a problem. I never heard of 2881 as being one of
those, but maybe getting in touch with the dev team could give you an
easy answer.
http://www.chkrootkit.org/
Maybe the only way to know for sure would be scanning all traffic from
another system regarding this port to see if anything suspicious can be
spotted, and maybe running an integrity check with debsum or such on
conf files, comparing the result with a backup from an earlier state or
a known sane system.
What would really be interesting is to spot the precise day when the
warning first occurred from your system logs, and see if you can spot
any change in configuration that could have triggered it (update ?).
That is, if your system really is infected you cannot trust anything and
especially not the logs...
I got that message in the email from early Saturday morning's cronjob.
I have been following instructions on
http://www.cert.org/tech_tips/intruder_detection_checklist.html
and I found that step 2 (look for setuid and setgid files) produces a file list:
[EMAIL PROTECTED]:~# find / -xdev -user root -perm -4000 -print
/bin/su
/bin/mount
/bin/umount
/bin/ping
/bin/ping6
/sbin/unix_chkpwd
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/X
/usr/bin/sudo
/usr/bin/gpg
/usr/bin/sudoedit
/usr/bin/netselect
/usr/bin/traceroute.lbl
/usr/lib/pt_chown
/usr/lib/openssh/ssh-keysign
/usr/lib/apache/suexec.disabled
/usr/lib/libfakeroot-tcp.so
/usr/lib/libfakeroot-sysv.so
Again, I'm stumbling in the dark here. cert.org doesn't explain what this list
of files signifies, it just implies that I shouldn't see it.
Also, I still have no idea what chkrootkit detected which made it decide to send
an INFECTED alert on that port.
Regards
Adam
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]