[Herts] RE: Blade Server (Debian) compromised.
Dominic Hargreaves
dom at earth.li
Thu Jun 23 10:55:25 BST 2005
[reordered replies for sanity]
On Wed, Jun 22, 2005 at 08:33:15PM +0100, Cyberesque wrote:
> nicolas wrote:
> >Checking `bindshell'... INFECTED (PORTS: 3049 31337)
> Can't help much only to say that port 31337 is well known for exploits
> (spells eleet / elite in 'leet' speak). You've probably got some carder
> or kiddie trying to sniff with Back Orifice - it doesn't necessarily
> mean you are compromised, it just means someone is sniffing your
> network, probably a script scanning a range of IP addresses.
No. chkrootkit inspects processes on the local machine; if it suggests
that it is infected it is almost certainly correct. It doesn't do any
tests on port scanning AFAIK, since that's not its purpose...
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the Herts
mailing list