|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peter Pentchev (roam
ringlet.net)
Date: Wed Nov 21 2007 - 04:44:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote:
> On Tuesday 20 November 2007 16:41:52 JP wrote:
> > Running freeBSD 6.1
> >
> > After changing chkrootkit to the latest version V. 0.47 and compiling it
> > then running it I get the following:
[snip]
> > Checking `bindshell'... INFECTED (PORTS: 6667)
[snip]
> >
> > I do run an IRCd...
>
> Such tools is known to trigger false positives sometimes. I'd recommend to
> play with some additional utilities like lsof. In case of bindshell try to
> find processes that was executed from world writable directories such
> as /tmp. Try to shutdown httpd and other daemons and see if any of them
> still running.
The bindshell is most probably a false positive - chkrootkit just
checks if anything is listening on "unusual" ports. Since 6667 is
one of the most often used well-known ports for IRC communication,
this is most probably a false positive.
G'luck,
Peter
--
Peter Pentchev roamringlet.net roamcnsys.bg roamFreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just finished reading.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)
iD8DBQFHRAwF7Ri2jRYZRVMRAojrAJ9TqCwFI8sPVoUTcceKuYdU5F1pKwCfShHl
GFwdVNGsNiwtxra7dePjdeM=
=MkAs
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]