BindShell False Positives FBSD-4.10.p3
david.hutchens at drs-sss.com
Fri Oct 29 06:20:06 PDT 2004
Running Chkrootkit 0.44 - FreeBSD 4.10-p3 Perl-5.8.4
Dual p3-650 512MB ECC RAM
Chkrootkit reporting Bindshell Infection on port 145.
netstat -an indicates no connections using that port but is showing the
value 145 in the Recv-Q
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.10082 *.* LISTEN
udp4 0 0 127.0.0.1.4611 127.0.0.1.123
udp4 145 0 *.1368 *.*
udp4 0 0 127.0.0.1.53 *.*
I've obs this twice so far for the 145 value. I've also had Bindshell
reports on port 114 and believe those to have been inaccurate
as well (unable to detect any problems with other tools automatically
launched upon the chkrootkit report - rkhunter/lsof and manual/scheduled
scans with Kaspersky & Clam AV).
At the time I was getting reports ref port 114 I had not looked at the
Chkrootkit Code & therefore did not set a trigger to run netstat -an upon a
Chkrootkit alert as I have with port 145.
If there is any other info I can provide please let me know, thanks for your
David Hutchens III
DRS Surveillance Support Systems - A division of DRS Technologies.
(727) 541-6681 ext.3313
david.hutchens at drs-sss.com <mailto:david.hutchens at drs-sss.com>
More information about the freebsd-ports