The only way these could be False Positives is if those three ports are not actually in use. The warnings all say “Possible” and your testing confirms that they are in use, so why would you think they are FP’s?
Since you seem to have confirmed that PortSentry does use this ports then you should either ignore the warnings or whitelist those ports. The latter will then partially disable checks for those three actual rootkits. I don’t know anything about PortSentry, but hopefully that would provide adequate protection against those rootkits. -Al- On Fri, Apr 15, 2016 at 02:09 PM, Sid Yy wrote: > When portsentry is running, it seems to cause false positives for rkhunter. > > When portsentry is running, rkhunterlog displays: > > > [14:49:53] Checking for TCP port 1524 [ Found ] > > [14:49:53] Warning: Network TCP port 1524 is being used. Possible rootkit: > > Possible FreeBSD (FBRK) Rootkit backdoor > > [14:49:54] Checking for TCP port 6667 [ Found ] > > [14:49:54] Warning: Network TCP port 6667 is being used. Possible rootkit: > > Possible rogue IRC bot > > [14:49:54] Checking for TCP port 31337 [ Found ] > > [14:49:54] Warning: Network TCP port 31337 is being used. Possible rootkit: > > Historical backdoor port > > Use the 'lsof -i' or 'netstat -an' command to check this. > > [xx:xx:xx] Possible rootkits: 3 > > When I run netstat -an and grep for each setting it shows: > > tcp4 0 0 *.1524 *.* LISTEN > > tcp4 0 0 *.6667 *.* LISTEN > > tcp4 0 0 *.31337 *.* LISTEN > > sockstat -46 only shows portsentry under each of these TCP ports. > > I think it's a false positive, when TCP are added and removed from > /usr/local/etc/portsentry.conf, rkhunter finds different possible rootkits. > I'm not completely sure, but I want to bring the rkhunter and portsentry > interaction to attention. Informed opinions appreciated. If it matters, this > is on FreeBSD 10.3. Thank you. -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
