-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok...did some checking. I forgot to mention that I killed dead syslogd. Not just a -HUP but an actual kill and restarted. I did this several times. I was trying to get something else to work. Anyway, I killed it again this morning and restarted. The infect message went away immediately. Could this have been the problem? - ------------------------------ Mike Loiterman grantADLER Medical Corporation Ph: 630-302-4944 Fax: 773-868-0071 PGP Key 0xD1B9D18E -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPoQreGjZbUnRudGOEQKlKQCg3A7qjZeuOR8xRy1Y2mwhPXo1wSkAnji1 /ZHe/l+5pciz+K01oFG0hxwo =+qca -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was just running chkrootkit on my system and it is reporting bindshell as infected on port 114. Other then that message, my system is clean. Tripwire doesn't detect and changes and nothing else (daily run or secuirty reporr) gave any unusal errors. The chkroot README says that running PORTSENTRY or klaxon will give a false positive, but I'm running neither. I suspect something (legitimate) else is running. How can I determine for sure? Is my system really compromised? - ------------------------------ Mike Loiterman grantADLER Medical Corporation Ph: 630-302-4944 Fax: 773-868-0071 PGP Key 0xD1B9D18E -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPoQm22jZbUnRudGOEQLH5gCg9qMRGxjNIDLKcxInyKMESZPf03IAn1hK Mds09fVPu9eDz6fVQ+WQ6wkN =Bx9q -----END PGP SIGNATURE-----
:: Anyway, I killed it again this morning and restarted. The infect :: message went away immediately. :: :: Could this have been the problem? Could have been, but there's no way to be sure now. When you had the chance, 'lsof -i tcp:114' would have told you what process was bound to TCP/114. Cheers - Erick