INFECTED (PORTS: 600)
Hey guys, Just new to this mailing list, hope you guys can help me out. I was testing out the chkrootkit package on one of my debian boxes. After running chkrootkit q I received the following output: INFECTED (PORTS: 600) I looked further into and narrowed down to this. netstat -naptu | grep 600 gave me the following ouput: udp 0 0 0.0.0.0:600 0.0.0.0:* 2120/rpc.statd I have searched around on other mailing lists and forums, but could never really get a definitive answer. Is this a common message for chkrootkit, should I be worried? Any help would be great, thanks in advance. ~Morgan Morgan Walker Systems Administrator/Engineer MCAM, Inc. Omni Business Center 210 Ridge-McIntire Rd., Suite 300 Charlottesville, VA 22903 434.979.7240 x311 http://www.m-cam.com = This message, including any attachments, is intended solely for the use of the named recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution of this communication(s) is expressly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy any and all copies of the original message. Thank you. =
Re: INFECTED (PORTS: 600)
On Thursday 18 May 2006 14:17, Morgan Walker wrote: running 'chkrootkit -q' I received the following output: INFECTED (PORTS: 600) udp0 0 0.0.0.0:600 0.0.0.0:* 2120/rpc.statd never really get a definitive answer. Is this a common message for chkrootkit, should I be worried? Any help would be great, thanks in advance. I got that message (with a different port) just because I was running imaps rather than normal imap. chkrootkit seems to employ a bit of poetic license with its definition of infected ;) -- Lee Braiden http://DigitalUnleashed.com What's so civil about war anyway? -- Guns N' Roses -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
password minimum days problem
Here's the issue. If PASS_MIN_DAYS is set to some value in /etc/login.defs, this defines the minimum number of days a user must keep the same password. This is intended to prevent password cycling. Password cycling is when a password history is used and the new password is required to be different than the N previous ones. If there's no PASS_MIN_DAYS set then the user can immediately cycle through N passwords to get their old one back. But the problem I'm having is this: when I set PASS_MIN_DAYS to some value, it seems that the user account must be deleted and recreated for the new setting to take affect. This is all good and fine, but when I initially create the new user, I give them some default password that they should have to change right away. However PASS_MIN_DAYS is preventing this from happening. So how to have PASS_MIN_DAYS set but to allow/require the new user to change his password on the first login? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password minimum days problem
On Thu, May 18, 2006 at 02:39:25PM -0700, [EMAIL PROTECTED] wrote: So how to have PASS_MIN_DAYS set but to allow/require the new user to change his password on the first login? Use passwd -e to force the user to change his password. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: INFECTED (PORTS: 600)
--On May 18, 2006 9:17:09 AM -0400 Morgan Walker [EMAIL PROTECTED] wrote: Hey guys, Just new to this mailing list, hope you guys can help me out. I was testing out the chkrootkit package on one of my debian boxes. After running ‘chkrootkit –q’ I received the following output: Use lsof and ps to find out who's running that proc and where from. If root isn't running it then someone has a hacked binary that's trying to hide, if root is, and lsof indicates it's not /sbin/rpc.statd then you're owned. It's kind of unusual for statd to show up on such a low port but not totally unheard of. INFECTED (PORTS: 600) I looked further into and narrowed down to this. ‘netstat -naptu | grep 600’ gave me the following ouput: udp0 0 0.0.0.0:600 0.0.0.0:* 2120/rpc.statd I have searched around on other mailing lists and forums, but could never really get a definitive answer. Is this a common message for chkrootkit, should I be worried? Any help would be great, thanks in advance. ~Morgan Morgan Walker Systems Administrator/Engineer M•CAM, Inc. Omni Business Center 210 Ridge-McIntire Rd., Suite 300 Charlottesville, VA 22903 434.979.7240 x311 http://www.m-cam.com = This message, including any attachments, is intended solely for the use of the named recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution of this communication(s) is expressly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy any and all copies of the original message. Thank you. = -- Michael Loftis Modwest Operations Manager Powerful, Affordable Web Hosting
Re: INFECTED (PORTS: 600)
Do you get any unusual report with rkhunter? chkrootkit has given me many false positives...I can remember false +'s when portsentry or tiger were running. On Thu, May 18, 2006 6:17 am, Morgan Walker said: Hey guys, Just new to this mailing list, hope you guys can help me out. I was testing out the chkrootkit package on one of my debian boxes. After running 'chkrootkit -q' I received the following output: INFECTED (PORTS: 600) I looked further into and narrowed down to this. 'netstat -naptu | grep 600' gave me the following ouput: udp0 0 0.0.0.0:600 0.0.0.0:* 2120/rpc.statd I have searched around on other mailing lists and forums, but could never really get a definitive answer. Is this a common message for chkrootkit, should I be worried? Any help would be great, thanks in advance. ~Morgan Morgan Walker Systems Administrator/Engineer M*CAM, Inc. Omni Business Center 210 Ridge-McIntire Rd., Suite 300 Charlottesville, VA 22903 434.979.7240 x311 http://www.m-cam.com http://www.m-cam.com This message, including any attachments, is intended solely for the use of the named recipient(s) and may contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution of this communication(s) is expressly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy any and all copies of the original message. Thank you. === -- -JM. Estos días azules y este sol de la infancia (Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]