Errata: incorrect Perl Version - BindShell False Positives
FBSD-4.10.p3
hutchens
david.hutchens at drs-sss.com
Fri Oct 29 06:24:49 PDT 2004
Many apologies, reported wrong Perl version. Should've been v. 5.8.5 not
5.8.4
>Good Morning;
>Running Chkrootkit 0.44 - FreeBSD 4.10-p3 Perl-5.8.4
>Dual p3-650 512MB ECC RAM
>Chkrootkit reporting Bindshell Infection on port 145.
>netstat -an indicates no connections using that port but is showing the
value 145 in the Recv-Q
>Proto Recv-Q Send-Q Local Address Foreign Address (state)
>tcp4 0 0 *.10082 *.* LISTEN
>udp4 0 0 127.0.0.1.4611 127.0.0.1.123
>udp4 145 0 *.1368 *.*
>udp4 0 0 127.0.0.1.53 *.*
>I've obs this twice so far for the 145 value. I've also had Bindshell
reports on port 114 and believe those to have been inaccurate
>as well (unable to detect any problems with other tools automatically
launched upon the chkrootkit report - rkhunter/lsof and manual/scheduled
>scans with Kaspersky & Clam AV).
>At the time I was getting reports ref port 114 I had not looked at the
Chkrootkit Code & therefore did not set a trigger to run netstat -an upon a
Chkrootkit alert as >I have with port 145.
>If there is any other info I can provide please let me know, thanks for
your hard work
Sincerely;
David Hutchens III
Network Technician
DRS Surveillance Support Systems - A division of DRS Technologies.
(727) 541-6681 ext.3313
david.hutchens at drs-sss.com <mailto:david.hutchens at drs-sss.com>
More information about the freebsd-ports
mailing list