chkrootkit V. 0.47

Peter Pentchev roam at
Wed Nov 21 03:11:05 PST 2007

On Tue, Nov 20, 2007 at 07:01:20PM +0200, Nikolay Pavlov wrote:
> On Tuesday 20 November 2007 16:41:52 JP wrote:
> > Running freeBSD 6.1
> >
> > After changing chkrootkit to the latest version V. 0.47 and compiling it
> > then running it I get the following:
> > Checking `bindshell'... INFECTED (PORTS:  6667)
> >
> > I do run an IRCd...
> Such tools is known to trigger false positives sometimes. I'd recommend to 
> play with some additional utilities like lsof. In case of bindshell try to 
> find processes that was executed from world writable directories such 
> as /tmp. Try to shutdown httpd and other daemons and see if any of them 
> still running. 

The bindshell is most probably a false positive - chkrootkit just
checks if anything is listening on "unusual" ports.  Since 6667 is
one of the most often used well-known ports for IRC communication,
this is most probably a false positive.


Peter Pentchev	roam at    roam at    roam at
PGP key:
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
You have, of course, just begun reading the sentence that you have just finished reading.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-security mailing list