[Herts] RE: Blade Server (Debian) compromised.

Dominic Hargreaves dom at earth.li
Thu Jun 23 10:55:25 BST 2005

[reordered replies for sanity]

On Wed, Jun 22, 2005 at 08:33:15PM +0100, Cyberesque wrote:
> nicolas wrote:
> >Checking `bindshell'... INFECTED (PORTS:  3049 31337)

> Can't help much only to say that port 31337 is well known for exploits 
> (spells eleet / elite in 'leet' speak). You've probably got some carder 
> or kiddie trying to sniff with Back Orifice - it doesn't necessarily 
> mean you are compromised, it just means someone is sniffing your 
> network, probably a script scanning a range of IP addresses.

No. chkrootkit inspects processes on the local machine; if it suggests
that it is infected it is almost certainly correct. It doesn't do any
tests on port scanning AFAIK, since that's not its purpose...

Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)

More information about the Herts mailing list