Gary wrote:
> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
>
> Checking `bindshell'... INFECTED (PORTS: 1008)
>
> I don't know how it could be installed except by a program I installed
> yesterday (chkrootkit of the day before yesterday is clean of bindshell
> infection). I update my system everyday. I use firestarter which allow
> sshd for only a specific ip (my brother's one) All the other ports are
> droped.
>
> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
> (as yesterday) doesn't tell me anything. I removed and re-installed
> chrootkit and still no infection.

In my opinion you should take the system off the net.

I do not think, chkrootkit will report an incident, if there is none.
Consider that the intruder has done his work perfectly and therefore
chkrootkit is not reporting anymore.

If you have another system connected to it, try a portscan `nmap -P0
-Ss` or even better a complete nessus scan and compare the output with
the one of `netstat -tupan` of the affected one. It will point out open
ports of the system, in two different views (manipulated by the rootkit
and open ports seen from outside).

Maybe the other system has been infected as well, so you will need a
clean system or a live CD with these tools installed to perform the checks.

If you cannot find any differnces, it still possible that there's no
server running but a process which will connect to a specific ip right
after your external connection is established. There are several ways to
monitor this traffic, but it will need another system or switch between
the affected system and the external router/modem.

> Was it a false positive ? How to check ? Would it be enought to restore
> my 11-day-old-partimage ghost (/home is on another partition) ?

I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.

greetz,
Eric

Gary wrote:
> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
>
> Checking `bindshell'... INFECTED (PORTS: 1008)
>
> I don't know how it could be installed except by a program I installed
> yesterday (chkrootkit of the day before yesterday is clean of bindshell
> infection). I update my system everyday. I use firestarter which allow
> sshd for only a specific ip (my brother's one) All the other ports are
> droped.
>
> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
> (as yesterday) doesn't tell me anything. I removed and re-installed
> chrootkit and still no infection.

In my opinion you should take the system off the net.

I do not think, chkrootkit will report an incident, if there is none.
Consider that the intruder has done his work perfectly and therefore
chkrootkit is not reporting anymore.

If you have another system connected to it, try a portscan `nmap -P0
-sS` or even better a complete nessus scan and compare the output with
the one of `netstat -tupan` of the affected one. It will point out open
ports of the system, in two different views (manipulated by the rootkit
and open ports seen from outside).

Maybe the other system has been infected as well, so you will need a
clean system or a live CD with these tools installed to perform the checks.

If you cannot find any differnces, it still possible that there's no
server running but a process which will connect to a specific ip right
after your external connection is established. There are several ways to
monitor this traffic, but it will need another system or switch between
the affected system and the external router/modem.

>
> Was it a false positive ? How to check ? Would it be enought to restore
> my 11-day-old-partimage ghost (/home is on another partition) ?

I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.

greetz,
Eric

Gary wrote:
> Hello,
>
> I'm using mandriva 2006.
>
> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
>
> Checking `bindshell'... INFECTED (PORTS: 1008)
>
> I don't know how it could be installed except by a program I installed
> yesterday (chkrootkit of the day before yesterday is clean of bindshell
> infection). I update my system everyday. I use firestarter which allow
> sshd for only a specific ip (my brother's one) All the other ports are
> droped.
>
> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
> (as yesterday) doesn't tell me anything. I removed and re-installed
> chrootkit and still no infection.
>
> Was it a false positive ? How to check ? Would it be enought to restore
> my 11-day-old-partimage ghost (/home is on another partition) ?
>
> Thanks for help.
>
> Gary

check these out first, found a lot of false alarms:
http://www.google.com/linux?hl=en&lr...29&btnG=Search

greetz,
Eric

EricT wrote:
> Gary wrote:
>> Hello,
>>
>> I'm using mandriva 2006.
>>
>> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
>>
>> Checking `bindshell'... INFECTED (PORTS: 1008)
>>
>> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
>> (as yesterday) doesn't tell me anything. I removed and re-installed
>> chrootkit and still no infection.
>>
>> Was it a false positive ? How to check ? Would it be enought to restore
>> my 11-day-old-partimage ghost (/home is on another partition) ?
>
> check these out first, found a lot of false alarms:
> http://www.google.com/linux?hl=en&lr...29&btnG=Search

Thanks.

On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
, EricT wrote:

>Gary wrote:
>> Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :
>>
>> Checking `bindshell'... INFECTED (PORTS: 1008)

>> This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
>> (as yesterday) doesn't tell me anything. I removed and re-installed
>> chrootkit and still no infection.

>In my opinion you should take the system off the net.

In my opinion you should loose those windoze wannabe tools.

>I do not think, chkrootkit will report an incident, if there is none.

Point your news reader at 'alt.os.linux.mandrake' (or alt.os.linux.mandriva
if your news server carries it), for this same thread. The problem was
chkrootkit making a false assumption as usual - this was a rpc.statd
running.

I also responded in that group, and noted that the chkrootkit script is
doing a netstat -an | egrep "^tcp.*LIST|^udp" | egrep "[.:]1008[^0-9.:]"
and barfed when it found something listening on port 1008 WITHOUT BOTHERING
TO INVESTIGATE FURTHER.

People use these crappy scripts without taking the time to READ what the
script is looking for. These are just scripts, and are interpretable into
non-technical language without a lot of effort.

>Consider that the intruder has done his work perfectly and therefore
>chkrootkit is not reporting anymore.

'chkrootkit', and the similar 'rkhunter' look for signs of problems that
were seen in the past. The check for the '55808.A Worm' looks for files
named '/tmp/.../a' or '/tmp/.../r'. If the rootkit author has changed the
filename to '/tmp/.../A' or '/tmp/.../b' for example, the script will not
detect anything. That is worse than worthless.

>> Would it be enought to restore my 11-day-old-partimage ghost (/home is
>> on another partition) ?
>
>I am not sure, but assuming the intruder can manipulate everything on
>the system, it probably wouldn't help. However i do not know what a
>ghost image is like.

Norton "Ghost" is a windoze tool to make an image backup. Think of using
the 'dd' command to copy a partition to another drive or media.

Old guy

Moe Trin a écrit :
> On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
> , EricT wrote:
>
>>>Would it be enought to restore my 11-day-old-partimage ghost (/home is
>>>on another partition) ?
>>
>>I am not sure, but assuming the intruder can manipulate everything on
>>the system, it probably wouldn't help. However i do not know what a
>>ghost image is like.
>
>
> Norton "Ghost" is a windoze tool to make an image backup. Think of using
> the 'dd' command to copy a partition to another drive or media.

There's also g4l (ghost for linux) and partimage which make ghosts of a
partition. partimage has the great advantage not to copy empty blocs but
just the used-space, and it is very fast compared to others (4Go in 5
minutes ) But partimage needs the partition-to-ghost to be unmounted,
so I make mdv06 ghosts from opensuse and vice-versa.

Bye
Gary

If you are running the portsentry daemon, it can generate false
positives in chkrootkit, since the portsentry essentially acts as a
honeypot, blocking users who attempt to use backdoors to access the
system. Just reconfigure portsentry so that it doesnt bind to ports
checked by chkrootkit.

Jeff

antiright@gmail.com a écrit :
> If you are running the portsentry daemon, it can generate false
> positives in chkrootkit, since the portsentry essentially acts as a
> honeypot, blocking users who attempt to use backdoors to access the
> system. Just reconfigure portsentry so that it doesnt bind to ports
> checked by chkrootkit.

Thanks, in fact it was rpc.statd which was using port 1008 (random port)
and detected.
++
Gary