Some time back i had posted the not so nice results of chkrootkit
and found this suspicious programme listening in on port 4000 it was
called beagled and i thought it was some sarcastic malware type having
fun alike saying you screxxd or your beagled
so i found no solution to it and use to kill the beagled sessions every day
today i just ran man beagled and this is what i found
NAME
beagled - the Beagle desktop search daemon
so it seems either beagled is doing something nasty or i got a false positive
**
top posting in case people are interested, my orignal mail is below
regards
ram
On Sat, Jan 22, 2011 at 9:09 AM, Ramnarayan.K ramnaraya...@gmail.com wrote:
Hi
Following an article of chkrootkit i tried it and found some disturbing
results
The original article is here
http://www.linuxjournal.com/content/hacking-old-school
Quote
With the standard install on my Ubuntu box, chkrootkit has 69
available tests.
endquote
After this i tried chkrootkit and found
Searching for anomalies in shell history files... Warning:
`//home/ram/.kino-history' is linked to another file
Checking `bindshell'... INFECTED
(PORTS: 4000)
what does this INFECTED mean ?? and what would linked to another file
imply (am assuming the kino anomaly is less important)
after searching and asking a friend for some help i tried to
m-laptop:~$ sudo netstat -pant|grep 4000
[sudo] password for ram:
tcp 0 0 0.0.0.0:4000 0.0.0.0:*
LISTEN 2485/beagled
so is beagle the file tracker doing all this or is beagled a linux
adjective here
**
I uninstalled beagle but still get the same message
**
the searching the web the only similar page i came across was
http://ubuntuforums.org/showthread.php?t=746700
and following that tried various commands to see what is wrong, if at all
m-laptop:~$ nmap -P0 localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-22 08:48 IST
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 994 closed ports
PORT STATE SERVICE
631/tcp open ipp
4000/tcp open remoteanything
5800/tcp open vnc-http
5900/tcp open vnc
9050/tcp open tor-socks
50001/tcp open unknown
where again Port 4000/tcp says remoteanything ???
*
then ran other tests as below
m-laptop:~$ sudo netstat -an | grep 4000
tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN
*
m-laptop:~$ sudo lsof | grep 4000
lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/ram/.gvfs
Output information may be incomplete.
beagled 2485 ram 16u IPv4 12298 0t0
TCP *:4000 (LISTEN)
which yet again shows the same thing
Last in the article below there is a mention of port 4000 in the
context of beagle, though am not sure if this is relevant much
http://blog.rogersoles.com/2010/07/06/technology/ubuntu-desktop-search/
***
would appreciate figuring out what is wrong and why this port 4000
INFECTED thingy is happening
ram
--
ubuntu-in mailing list
ubuntu-in@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-in
