I run chkrootkit daily. For the first time I've got reports of a problem - Checking `bindshell'... INFECTED (PORTS: 1008) The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected- ports-1008/ suggests that this might be a false positive, so I ran 'netstat - tanup' but unlike the report, it wasn't famd on the port. It was tcp 0 0 0.0.0.0:1008 0.0.0.0:* LISTEN 3797/rpc.mountd It looks as though certain services are marked as suspicious when they grab port 1008. I tried to find how to restart the service, but without success, but a reboot put rpc.mountd onto another port, and chkrootkit no longer reports a problem. (I had rebooted last evening after an update including a kernel version.) I think that it really was a false alarm, but I would really like to know how I could restart that service without rebooting. system-config-services didn't do the trick, and I simply didn't know what else to try. In case I meet this again, can you please advise me? Anne -- KDE Community Working Group New to KDE4? - get help from http://userbase.kde.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/d518c7b6/attachment.sig>
Anne Wilson wrote:> I run chkrootkit daily. For the first time I've got reports of a problem - > > Checking `bindshell'... INFECTED (PORTS: 1008) > > The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected- > ports-1008/ suggests that this might be a false positive, so I ran 'netstat - > tanup' but unlike the report, it wasn't famd on the port. It was > > tcp 0 0 0.0.0.0:1008 0.0.0.0:* > LISTEN 3797/rpc.mountd > > It looks as though certain services are marked as suspicious when they grab > port 1008. I tried to find how to restart the service, but without success, > but a reboot put rpc.mountd onto another port, and chkrootkit no longer > reports a problem. (I had rebooted last evening after an update including a > kernel version.) > > I think that it really was a false alarm, but I would really like to know how > I could restart that service without rebooting. system-config-services didn't > do the trick, and I simply didn't know what else to try. In case I meet this > again, can you please advise me? > > Anne > > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Anne, I believe an nfs restart should do it - you may consider setting rpc to a specific port in /etc/sysconfig/nfs - plenty of comments in the file to help - this is also useful if you firewall and need to use nfs. HTH Rob -------------- next part -------------- A non-text attachment was scrubbed... Name: rkampen.vcf Type: text/x-vcard Size: 207 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20091218/7b2e3706/attachment.vcf>
From: Anne Wilson <cannewilson at googlemail.com>> I run chkrootkit daily. For the first time I've got reports of a problem - > > Checking `bindshell'... INFECTED (PORTS: 1008) > > The page http://fatpenguinblog.com/scott-rippee/checking-bindshell-infected- > ports-1008/ suggests that this might be a false positive, so I ran 'netstat - > tanup' but unlike the report, it wasn't famd on the port. It was > > tcp 0 0 0.0.0.0:1008 0.0.0.0:* > LISTEN 3797/rpc.mountd > > It looks as though certain services are marked as suspicious when they grab > port 1008. I tried to find how to restart the service, but without success, > but a reboot put rpc.mountd onto another port, and chkrootkit no longer > reports a problem. (I had rebooted last evening after an update including a > kernel version.) > > I think that it really was a false alarm, but I would really like to know how > I could restart that service without rebooting. system-config-services didn't > do the trick, and I simply didn't know what else to try. In case I meet this > again, can you please advise me?# grep -l "rpc.mountd" /etc/init.d/* /etc/init.d/nfs # man rpc.mountd | grep -C 1 bind -p or --port num Force rpc.mountd to bind to the specified port num, instead of using the random port number assigned by the portmapper. random port... 1008 seems to be associated with a trojan (lion)... JD
Anne Wilson wrote:> do the trick, and I simply didn't know what else to try. In case I meet > this > again, can you please advise me?Are you doing anything with NFS? If not then turn off the nfs service, and the rpc services [root at dc1-rhel5-32build001:~]# chkconfig --list | grep "\(nfs\|rpc\)" nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:on 3:on 4:on 5:on 6:off rpcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcidmapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off If you are using NFS, then stop using it before restarting the services. nate