Quản trị net diễn đàn chia sẻ thông tin các thủ thuật mạng, internet bảo mật thông tin dành cho giới IT VIệt hy vọng là nơi bổ ích cho cộng đồng - View Single Post - chkrootkit(Hướng dẫn sử dụng chương trình chkrootkit)

**adminphuong** · 01-08-2009, 01:24 PM

Chkrootkit : bindshell'... INFECTED (PORTS: 465)
Zones:
Linux, SendMail Email Server, Linux Network Security
Hi yah
i have installed Chkrootkit, and when i am trying to scan server its saying :

bindshell'... INFECTED (PORTS: 465)

my examination : 1) Smtp is linsting 465 port,
2) if i stop stmp Chkrootkit will say , bindshell'. Not Infected

losof result

sudo /usr/sbin/lsof -P -n -i | grep 465
sendmail 21631 root 1u IPv4 44507 TCP 78.xxx.xx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> I know this IP
sendmail 21631 root 4u IPv4 44507 TCP 78.xxx.xxx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> i know this IP
sendmail 21631 root 7u IPv4 44507 TCP 78.xx.xx.xxxx:465->xx.xx.25.xx:62189 (ESTABLISHED) -> i know this
sendmail 25822 root 4u IPv4 45586 TCP *:465 (LISTEN) ->>>>>>> what does this mean ??

is there anyting to worry about ??
----- Added 01-08-2009 at 01:24 PM -----
yah i belived so

From this site : http://www.chkrootkit.org/faq/#7
I'm running PortSentry/klaxon. What's wrong with the bindshell test?

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

and from this site http://forum.qmailrocks.org/showthread.php?t=6817
this comments

Just as an FYI, if you are using an SSL SMTP service on port 465 like some of us are, it most likely will result in the following false positive if you run chkrootkit:

Checking `bindshell'... INFECTED (PORTS: 465)

01-08-2009, 01:24 PM	#2
adminphuong Administrator Gia nhập: Jul 2009 Trả Lời: 152	Lỗi của Chkrootkit Chkrootkit : bindshell'... INFECTED (PORTS: 465) Zones: Linux, SendMail Email Server, Linux Network Security Hi yah i have installed Chkrootkit, and when i am trying to scan server its saying : bindshell'... INFECTED (PORTS: 465) my examination : 1) Smtp is linsting 465 port, 2) if i stop stmp Chkrootkit will say , bindshell'. Not Infected losof result sudo /usr/sbin/lsof -P -n -i \| grep 465 sendmail 21631 root 1u IPv4 44507 TCP 78.xxx.xx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> I know this IP sendmail 21631 root 4u IPv4 44507 TCP 78.xxx.xxx.xxx:465->xx.xx.25.xxx:62189 (ESTABLISHED) -> i know this IP sendmail 21631 root 7u IPv4 44507 TCP 78.xx.xx.xxxx:465->xx.xx.25.xx:62189 (ESTABLISHED) -> i know this sendmail 25822 root 4u IPv4 45586 TCP :465 (LISTEN) ->>>>>>> what does this mean ?? is there anyting to worry about ?? ----- Added 01-08-2009 at 01:24 PM ----- yah i belived so From this site : http://www.chkrootkit.org/faq/#7 I'm running PortSentry/klaxon. What's wrong with the bindshell test? If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp). and from this site http://forum.qmailrocks.org/showthread.php?t=6817 this comments Just as an FYI, if you are using an SSL SMTP service on port 465 like some of us are, it most likely will result in the following false positive if you run chkrootkit: Checking `bindshell'... INFECTED (PORTS: 465) Last edited by adminphuong; 01-08-2009 at 01:24 PM.. Lý do: Hệ thống tự động gộp 2 bài viết liền nhau của bạn !*