chkrootkit shows bindshell infected only with portsentry
Anthony Campbell
This showed that bindshell is infected.
Checking `bindshell'... INFECTED (PORTS: 1524 31337)
However, if I stop portsentry the infection report disappears. Does this
mean it is a false positive?
I don't want to reinstall the system if I don't have to!
Anthony
--
Anthony Campbell - a...@acampbell.org.uk
Microsoft-free zone - Using Linux Gnu-Debian
http://www.acampbell.org.uk (blog, book reviews,
on-line books and sceptical articles)
Rick Moen
> I just installed the latest version of chkrootkit (0.45).
> This showed that bindshell is infected.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> However, if I stop portsentry the infection report disappears. Does this
> mean it is a false positive?
Yes, that's chkrootkit misinterpreting portsentry's activities.
> I don't want to reinstall the system if I don't have to!
Anthony, the good news is that nothing in the above suggests you need to
reinstall. The bad news is that if you really had no clue whether your
system was compromised and were tempted to simply take chkrootkit's word
on that question, then you have a more-fundamental problem, i.e., an
urgent need to understand and control your system better.
--
Cheers, Chip Salzenberg: "Usenet is not a right."
Rick Moen Edward Vielmetti: "Usenet is a right, a left, a jab,
ri...@linuxmafia.com and a sharp uppercut to the jaw.
The postman hits! You have new mail."
Florian Ernst
On 10 Oct 2005 08:01:54 GMT, Anthony Campbell wrote:
> I just installed the latest version of chkrootkit (0.45).
> This showed that bindshell is infected.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> However, if I stop portsentry the infection report disappears. Does this
> mean it is a false positive?
Yes, and since you are running Debian you could have seen this in
</usr/share/doc/chkrootkit/README.FALSE-POSITIVES>.
HTH,
Flo
Anthony Campbell
Rick, I wasn't seriously considering reinstalling just on the basis of
one report from chkrootkit; just being paranoid!
Good point about Debian. The reason I hadn't checked the Debian docs was
that I'd just installed a fresh version of chkrootkit in /usr/local to
be sure that it was not itself compromised and I forgot that Debian also
installs it as a package.
Rick Moen
> Rick, I wasn't seriously considering reinstalling just on the basis of
> one report from chkrootkit; just being paranoid!
OK, and, by the way, I recommend you consider the merits of this article:
"Portsentry Considered Harmful" on http://linuxmafia.com/kb/Security
> Good point about Debian. The reason I hadn't checked the Debian docs was
> that I'd just installed a fresh version of chkrootkit in /usr/local to
> be sure that it was not itself compromised,...
Although this seems like a good idea, at first glance, don't forget that
you're assuming all of the responsibilities of a distro package maintainer
-- and, in particular, that of verifying that the package you downloaded
was really from the legitimate author and wasn't a fake swapped in by
someone who root-compromised an ftp site. Packages that have been
trojaned that way include TCP Wrappers, util-linux, sendmail, and
OpenSSH. Alert downloaders were not fooled by those trojans (and raised
the alarm) because they bothered to _check PGP signatures_ (or be
suspicious of the odd lack of them) -- but, in each case, not until many
dozens of less-careful people were fooled. Details here:
http://linuxmafia.com/~rick/faq/index.php?page=virus
The point is that, if instead of pulling down the upstream tarball, you
reinstalled the (e.g.) Debian package, that checking gets performed on
your behalf by the package maintainer, and you don't have to.
At one point, hosted tarballs of the Linux kernel source tree were
likewise compromised, but only on the CVS gateway, and that was detected
cryptographically in short order.
Cameron L. Spitzer
> I just installed the latest version of chkrootkit (0.45).
> This showed that bindshell is infected.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
I think you're misinterpreting chkrootkit's announcement.
It's not looking for damage *to* bindshell, it's
looking for hints that there might *be* a bindshell running.
(Has bindshell got any legitimate uses, or does it only
appear on compromised machines?)
The hint it looks for is something listening on one or
more ports popular with people who use it.
Something is listening to those ports. Chkrootkit
is just *guessing* that it might be bindshell.
> However, if I stop portsentry the infection report disappears. Does this
> mean it is a false positive?
>
> I don't want to reinstall the system if I don't have to!
If you don't know *what* is listening to those two ports,
you have a problem.
Cameron
Felix Tilley
<a...@acampbell.org.uk> wrote:
> I just installed the latest version of chkrootkit (0.45). This showed that
> bindshell is infected.
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> However, if I stop portsentry the infection report disappears. Does this
> mean it is a false positive?
>
> I don't want to reinstall the system if I don't have to!
>
> Anthony
What does netstat -an show? Are you listening on those ports?
--
Felix Tilley
MAJ, LARTvocate
Fanatic Legions
1-800-555-LART
Anthony Campbell
Yes, it shows I am listening on those.