chkrootkit false positive for bindshell ? - Security

This is a discussion on chkrootkit false positive for bindshell ? - Security ; Hello, I'm using mandriva 2006. Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed : Checking `bindshell'... INFECTED (PORTS: 1008) I don't know how it could be installed except by a program I installed yesterday (chkrootkit of the day ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: chkrootkit false positive for bindshell ?

  1. chkrootkit false positive for bindshell ?

    Hello,

    I'm using mandriva 2006.

    Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :

    Checking `bindshell'... INFECTED (PORTS: 1008)

    I don't know how it could be installed except by a program I installed
    yesterday (chkrootkit of the day before yesterday is clean of bindshell
    infection). I update my system everyday. I use firestarter which allow
    sshd for only a specific ip (my brother's one) All the other ports are
    droped.

    This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    (as yesterday) doesn't tell me anything. I removed and re-installed
    chrootkit and still no infection.

    Was it a false positive ? How to check ? Would it be enought to restore
    my 11-day-old-partimage ghost (/home is on another partition) ?

    Thanks for help.

    Gary

  2. Re: chkrootkit false positive for bindshell ?

    Gary wrote:
    > Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
    >
    > Checking `bindshell'... INFECTED (PORTS: 1008)
    >
    > I don't know how it could be installed except by a program I installed
    > yesterday (chkrootkit of the day before yesterday is clean of bindshell
    > infection). I update my system everyday. I use firestarter which allow
    > sshd for only a specific ip (my brother's one) All the other ports are
    > droped.
    >
    > This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    > (as yesterday) doesn't tell me anything. I removed and re-installed
    > chrootkit and still no infection.


    In my opinion you should take the system off the net.

    I do not think, chkrootkit will report an incident, if there is none.
    Consider that the intruder has done his work perfectly and therefore
    chkrootkit is not reporting anymore.

    If you have another system connected to it, try a portscan `nmap -P0
    -Ss` or even better a complete nessus scan and compare the output with
    the one of `netstat -tupan` of the affected one. It will point out open
    ports of the system, in two different views (manipulated by the rootkit
    and open ports seen from outside).

    Maybe the other system has been infected as well, so you will need a
    clean system or a live CD with these tools installed to perform the checks.

    If you cannot find any differnces, it still possible that there's no
    server running but a process which will connect to a specific ip right
    after your external connection is established. There are several ways to
    monitor this traffic, but it will need another system or switch between
    the affected system and the external router/modem.

    > Was it a false positive ? How to check ? Would it be enought to restore
    > my 11-day-old-partimage ghost (/home is on another partition) ?


    I am not sure, but assuming the intruder can manipulate everything on
    the system, it probably wouldn't help. However i do not know what a
    ghost image is like.

    greetz,
    Eric

  3. Re: chkrootkit false positive for bindshell ?

    Gary wrote:
    > Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
    >
    > Checking `bindshell'... INFECTED (PORTS: 1008)
    >
    > I don't know how it could be installed except by a program I installed
    > yesterday (chkrootkit of the day before yesterday is clean of bindshell
    > infection). I update my system everyday. I use firestarter which allow
    > sshd for only a specific ip (my brother's one) All the other ports are
    > droped.
    >
    > This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    > (as yesterday) doesn't tell me anything. I removed and re-installed
    > chrootkit and still no infection.


    In my opinion you should take the system off the net.

    I do not think, chkrootkit will report an incident, if there is none.
    Consider that the intruder has done his work perfectly and therefore
    chkrootkit is not reporting anymore.

    If you have another system connected to it, try a portscan `nmap -P0
    -sS` or even better a complete nessus scan and compare the output with
    the one of `netstat -tupan` of the affected one. It will point out open
    ports of the system, in two different views (manipulated by the rootkit
    and open ports seen from outside).

    Maybe the other system has been infected as well, so you will need a
    clean system or a live CD with these tools installed to perform the checks.

    If you cannot find any differnces, it still possible that there's no
    server running but a process which will connect to a specific ip right
    after your external connection is established. There are several ways to
    monitor this traffic, but it will need another system or switch between
    the affected system and the external router/modem.

    >
    > Was it a false positive ? How to check ? Would it be enought to restore
    > my 11-day-old-partimage ghost (/home is on another partition) ?


    I am not sure, but assuming the intruder can manipulate everything on
    the system, it probably wouldn't help. However i do not know what a
    ghost image is like.

    greetz,
    Eric

  4. Re: chkrootkit false positive for bindshell ?

    Gary wrote:
    > Hello,
    >
    > I'm using mandriva 2006.
    >
    > Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
    >
    > Checking `bindshell'... INFECTED (PORTS: 1008)
    >
    > I don't know how it could be installed except by a program I installed
    > yesterday (chkrootkit of the day before yesterday is clean of bindshell
    > infection). I update my system everyday. I use firestarter which allow
    > sshd for only a specific ip (my brother's one) All the other ports are
    > droped.
    >
    > This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    > (as yesterday) doesn't tell me anything. I removed and re-installed
    > chrootkit and still no infection.
    >
    > Was it a false positive ? How to check ? Would it be enought to restore
    > my 11-day-old-partimage ghost (/home is on another partition) ?
    >
    > Thanks for help.
    >
    > Gary


    check these out first, found a lot of false alarms:
    http://www.google.com/linux?hl=en&lr...29&btnG=Search

    greetz,
    Eric

  5. Re: chkrootkit false positive for bindshell ?

    EricT wrote:
    > Gary wrote:
    >> Hello,
    >>
    >> I'm using mandriva 2006.
    >>
    >> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
    >>
    >> Checking `bindshell'... INFECTED (PORTS: 1008)
    >>
    >> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    >> (as yesterday) doesn't tell me anything. I removed and re-installed
    >> chrootkit and still no infection.
    >>
    >> Was it a false positive ? How to check ? Would it be enought to restore
    >> my 11-day-old-partimage ghost (/home is on another partition) ?

    >
    > check these out first, found a lot of false alarms:
    > http://www.google.com/linux?hl=en&lr...29&btnG=Search


    Thanks.

  6. Re: chkrootkit false positive for bindshell ?

    On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    , EricT wrote:

    >Gary wrote:
    >> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
    >>
    >> Checking `bindshell'... INFECTED (PORTS: 1008)


    >> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
    >> (as yesterday) doesn't tell me anything. I removed and re-installed
    >> chrootkit and still no infection.


    >In my opinion you should take the system off the net.


    In my opinion you should loose those windoze wannabe tools.

    >I do not think, chkrootkit will report an incident, if there is none.


    Point your news reader at 'alt.os.linux.mandrake' (or alt.os.linux.mandriva
    if your news server carries it), for this same thread. The problem was
    chkrootkit making a false assumption as usual - this was a rpc.statd
    running.

    I also responded in that group, and noted that the chkrootkit script is
    doing a netstat -an | egrep "^tcp.*LIST|^udp" | egrep "[.:]1008[^0-9.:]"
    and barfed when it found something listening on port 1008 WITHOUT BOTHERING
    TO INVESTIGATE FURTHER.

    People use these crappy scripts without taking the time to READ what the
    script is looking for. These are just scripts, and are interpretable into
    non-technical language without a lot of effort.

    >Consider that the intruder has done his work perfectly and therefore
    >chkrootkit is not reporting anymore.


    'chkrootkit', and the similar 'rkhunter' look for signs of problems that
    were seen in the past. The check for the '55808.A Worm' looks for files
    named '/tmp/.../a' or '/tmp/.../r'. If the rootkit author has changed the
    filename to '/tmp/.../A' or '/tmp/.../b' for example, the script will not
    detect anything. That is worse than worthless.

    >> Would it be enought to restore my 11-day-old-partimage ghost (/home is
    >> on another partition) ?

    >
    >I am not sure, but assuming the intruder can manipulate everything on
    >the system, it probably wouldn't help. However i do not know what a
    >ghost image is like.


    Norton "Ghost" is a windoze tool to make an image backup. Think of using
    the 'dd' command to copy a partition to another drive or media.

    Old guy

  7. Re: chkrootkit false positive for bindshell ?

    Moe Trin a écrit :
    > On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
    > , EricT wrote:
    >
    >>>Would it be enought to restore my 11-day-old-partimage ghost (/home is
    >>>on another partition) ?

    >>
    >>I am not sure, but assuming the intruder can manipulate everything on
    >>the system, it probably wouldn't help. However i do not know what a
    >>ghost image is like.

    >
    >
    > Norton "Ghost" is a windoze tool to make an image backup. Think of using
    > the 'dd' command to copy a partition to another drive or media.


    There's also g4l (ghost for linux) and partimage which make ghosts of a
    partition. partimage has the great advantage not to copy empty blocs but
    just the used-space, and it is very fast compared to others (4Go in 5
    minutes ) But partimage needs the partition-to-ghost to be unmounted,
    so I make mdv06 ghosts from opensuse and vice-versa.

    Bye
    Gary

  8. Re: chkrootkit false positive for bindshell ?

    If you are running the portsentry daemon, it can generate false
    positives in chkrootkit, since the portsentry essentially acts as a
    honeypot, blocking users who attempt to use backdoors to access the
    system. Just reconfigure portsentry so that it doesnt bind to ports
    checked by chkrootkit.

    Jeff


  9. Re: chkrootkit false positive for bindshell ?

    antiright@gmail.com a écrit :
    > If you are running the portsentry daemon, it can generate false
    > positives in chkrootkit, since the portsentry essentially acts as a
    > honeypot, blocking users who attempt to use backdoors to access the
    > system. Just reconfigure portsentry so that it doesnt bind to ports
    > checked by chkrootkit.


    Thanks, in fact it was rpc.statd which was using port 1008 (random port)
    and detected.
    ++
    Gary

+ Reply to Thread