Hi Following an article of chkrootkit i tried it and found some disturbing results
The original article is here http://www.linuxjournal.com/content/hacking-old-school Quote "With the standard install on my Ubuntu box, chkrootkit has 69 available tests." endquote After this i tried chkrootkit and found Searching for anomalies in shell history files... Warning: `//home/ram/.kino-history' is linked to another file Checking `bindshell'... INFECTED (PORTS: 4000) what does this INFECTED mean ?? and what would linked to another file imply (am assuming the kino anomaly is less important) after searching and asking a friend for some help i tried to m-laptop:~$ sudo netstat -pant|grep 4000 [sudo] password for ram: tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN 2485/beagled so is beagle the file tracker doing all this or is beagled a linux adjective here ** I uninstalled beagle but still get the same message ** the searching the web the only similar page i came across was http://ubuntuforums.org/showthread.php?t=746700 and following that tried various commands to see what is wrong, if at all m-laptop:~$ nmap -P0 localhost Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-22 08:48 IST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 994 closed ports PORT STATE SERVICE 631/tcp open ipp 4000/tcp open remoteanything 5800/tcp open vnc-http 5900/tcp open vnc 9050/tcp open tor-socks 50001/tcp open unknown where again Port 4000/tcp says remoteanything ??? * then ran other tests as below m-laptop:~$ sudo netstat -an | grep 4000 tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN * m-laptop:~$ sudo lsof | grep 4000 lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/ram/.gvfs Output information may be incomplete. beagled 2485 ram 16u IPv4 12298 0t0 TCP *:4000 (LISTEN) which yet again shows the same thing Last in the article below there is a mention of port 4000 in the context of beagle, though am not sure if this is relevant much http://blog.rogersoles.com/2010/07/06/technology/ubuntu-desktop-search/ *** would appreciate figuring out what is wrong and why this port 4000 INFECTED thingy is happening ram -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in