I have just run chkrootkit on my server and have the following two suspicious entries.. Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist and further down.. Checking `bindshell'... INFECTED (PORTS: 465) Anyone have any advice for getting rid of it?? Later..
WipeOut wrote:> I have just run chkrootkit on my server and have the following two > suspicious entries.. > > Searching for suspicious files and dirs, it may take a while... > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlistThere should be only a list of perl packages in that file. You can check it very easily.> and further down.. > > Checking `bindshell'... INFECTED (PORTS: 465) > > Anyone have any advice for getting rid of it??Find out which program listens on that port - and if you need it. 465 is smtps (SMTP over SSL). You can do so with netstat, lsof or fuser. chkrootkit can only give you hints - you have to look for yourself, if it is assuming correctly or fooling you. Ralph -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20050111/809e6b8e/attachment.sig>
Ralph Angenendt wrote:>WipeOut wrote: > > >>I have just run chkrootkit on my server and have the following two >>suspicious entries.. >> >>Searching for suspicious files and dirs, it may take a while... >>/usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist >> >> > >There should be only a list of perl packages in that file. You can check >it very easily. > > > >>and further down.. >> >>Checking `bindshell'... INFECTED (PORTS: 465) >> >>Anyone have any advice for getting rid of it?? >> >> > >Find out which program listens on that port - and if you need it. 465 >is smtps (SMTP over SSL). > >You can do so with netstat, lsof or fuser. > >chkrootkit can only give you hints - you have to look for yourself, if >it is assuming correctly or fooling you. > >Ralph > >Thanks Ralph.. I am looking into it now..
Are you running PortSentry? If you are, that may give you a false positive on Port 465. -----Original Message----- From: centos-bounces at caosity.org [mailto:centos-bounces at caosity.org] On Behalf Of WipeOut Sent: 11 January 2005 18:19 To: CentOS discussion and information list Subject: [Centos] Think someone has got into my server... I have just run chkrootkit on my server and have the following two suspicious entries.. Searching for suspicious files and dirs, it may take a while... /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist and further down.. Checking `bindshell'... INFECTED (PORTS: 465) Anyone have any advice for getting rid of it?? Later.. _______________________________________________ CentOS mailing list CentOS at caosity.org http://lists.caosity.org/mailman/listinfo/centos