Some time back i had posted the not so nice results of chkrootkit and found this suspicious programme listening in on port 4000 it was called beagled and i thought it was some sarcastic malware type having fun alike saying you "screxxd or your beagled"
so i found no solution to it and use to kill the beagled sessions every day today i just ran man beagled and this is what i found "NAME beagled - the Beagle desktop search daemon" so it seems either beagled is doing something nasty or i got a false positive ** top posting in case people are interested, my orignal mail is below regards ram On Sat, Jan 22, 2011 at 9:09 AM, Ramnarayan.K <ramnaraya...@gmail.com> wrote: > Hi > > Following an article of chkrootkit i tried it and found some disturbing > results > > The original article is here > http://www.linuxjournal.com/content/hacking-old-school > > Quote > "With the standard install on my Ubuntu box, chkrootkit has 69 > available tests." > endquote > > After this i tried chkrootkit and found > > > Searching for anomalies in shell history files... Warning: > `//home/ram/.kino-history' is linked to another file > > Checking `bindshell'... INFECTED > (PORTS: 4000) > > > what does this INFECTED mean ?? and what would linked to another file > imply (am assuming the kino anomaly is less important) > > after searching and asking a friend for some help i tried to > > > m-laptop:~$ sudo netstat -pant|grep 4000 > [sudo] password for ram: > tcp 0 0 0.0.0.0:4000 0.0.0.0:* > LISTEN 2485/beagled > > so is beagle the file tracker doing all this or is beagled a linux > adjective here > > ** > I uninstalled beagle but still get the same message > > ** > the searching the web the only similar page i came across was > http://ubuntuforums.org/showthread.php?t=746700 > and following that tried various commands to see what is wrong, if at all > > m-laptop:~$ nmap -P0 localhost > > Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-22 08:48 IST > Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. > Interesting ports on localhost (127.0.0.1): > Not shown: 994 closed ports > PORT STATE SERVICE > 631/tcp open ipp > 4000/tcp open remoteanything > 5800/tcp open vnc-http > 5900/tcp open vnc > 9050/tcp open tor-socks > 50001/tcp open unknown > > where again Port 4000/tcp says remoteanything ??? > > * > then ran other tests as below > > m-laptop:~$ sudo netstat -an | grep 4000 > tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN > > * > m-laptop:~$ sudo lsof | grep 4000 > lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/ram/.gvfs > Output information may be incomplete. > beagled 2485 ram 16u IPv4 12298 0t0 > TCP *:4000 (LISTEN) > > which yet again shows the same thing > > Last in the article below there is a mention of port 4000 in the > context of beagle, though am not sure if this is relevant much > http://blog.rogersoles.com/2010/07/06/technology/ubuntu-desktop-search/ > > *** > would appreciate figuring out what is wrong and why this port 4000 > INFECTED thingy is happening > ram > -- ubuntu-in mailing list ubuntu-in@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-in