[Herts] RE: Blade Server (Debian) compromised.

davidp at preshweb.co.uk davidp at preshweb.co.uk
Thu Jun 23 11:28:15 BST 2005

On Thu, June 23, 2005 10:54 am, Dominic Hargreaves wrote:

> [reordered replies for sanity]
> On Wed, Jun 22, 2005 at 08:33:15PM +0100, Cyberesque wrote:
>> nicolas wrote:
>> >Checking `bindshell'... INFECTED (PORTS:  3049 31337)
>> Can't help much only to say that port 31337 is well known for exploits
>> (spells eleet / elite in 'leet' speak). You've probably got some carder
>> or kiddie trying to sniff with Back Orifice - it doesn't necessarily
>> mean you are compromised, it just means someone is sniffing your
>> network, probably a script scanning a range of IP addresses.
> No. chkrootkit inspects processes on the local machine; if it suggests
> that it is infected it is almost certainly correct. It doesn't do any
> tests on port scanning AFAIK, since that's not its purpose...

chkrootkit often gives false positives on the bindshell test which do not
indicate infection if certain things are listening on those ports,
especially PortSentry et al.

>From http://www.chkrootkit.org/faq/ :
" If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit  will give you a false positive on the
bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp,
1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp,
27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp,
47889/tcp, 60001/tcp)."

You're right that chkrootkit doesn't do any kind of port scanning, nor
would it detect a portscan in progress.


Dave P

More information about the Herts mailing list