CHKROOTKIT positive?
Ger Apeldoorn
g.apeldoorn at argoss.nl
Thu Jun 29 14:22:12 CEST 2006
Hi,
Today, after a mysterious server hang yesterday, I ran chkrootkit
(www.chkrootkit.org) on my kolab 2.0.3 server.
Among the output was this:
--------------------%<------------------------
Checking `bindshell'... INFECTED (PORTS: 465)
--------------------%<------------------------
Output from "netstat -lnpe | grep 465"
--------------------%<------------------------
tcp 0 0 0.0.0.0:465 0.0.0.0:*
LISTEN 0 8404 4661/master
--------------------%<------------------------
Output from "ps ax | grep master"
--------------------%<------------------------
4054 ? Ss 0:00 amavisd (master)
4661 ? Ss 0:06 /kolab/libexec/postfix/master
9773 ? S 0:01 /kolab/bin/cyrmaster
--------------------%<------------------------
As you can see, the open port 465 is owned by /kolab/libexec/postfix/master.
The following questions arise:
1) Is this a false positive?
2) If you run chkrootkit on your Kolab server, do you get the same (false)
positive?
It probably is, just want to be on the safe side.
As always, many thanks in advance,
Ger.
More information about the users
mailing list