CHKROOTKIT positive?
GARETTE Emmanuel
e.garette at atolcd.com
Thu Jun 29 14:36:48 CEST 2006
Ger Apeldoorn a écrit :
>Hi,
>
>Today, after a mysterious server hang yesterday, I ran chkrootkit
>(www.chkrootkit.org) on my kolab 2.0.3 server.
>
>Among the output was this:
>
>--------------------%<------------------------
>Checking `bindshell'... INFECTED (PORTS: 465)
>--------------------%<------------------------
>
>Output from "netstat -lnpe | grep 465"
>--------------------%<------------------------
>tcp 0 0 0.0.0.0:465 0.0.0.0:*
>LISTEN 0 8404 4661/master
>--------------------%<------------------------
>
>Output from "ps ax | grep master"
>--------------------%<------------------------
> 4054 ? Ss 0:00 amavisd (master)
> 4661 ? Ss 0:06 /kolab/libexec/postfix/master
> 9773 ? S 0:01 /kolab/bin/cyrmaster
>--------------------%<------------------------
>
>As you can see, the open port 465 is owned by /kolab/libexec/postfix/master.
>
>The following questions arise:
>1) Is this a false positive?
>2) If you run chkrootkit on your Kolab server, do you get the same (false)
>positive?
>
>It probably is, just want to be on the safe side.
>
>As always, many thanks in advance,
>
>Ger.
>
>
http://kolab.org/pipermail/kolab-users/2005-December/004025.html
Regards
-------------- next part --------------
A non-text attachment was scrubbed...
Name: e.garette.vcf
Type: text/x-vcard
Size: 182 bytes
Desc: not available
URL: <http://lists.kolab.org/pipermail/users/attachments/20060629/d13cd03a/attachment.vcf>
More information about the users
mailing list