Re: F21: infection reported by "chkrootkit".

On Thu, 23 Jul 2015 14:56:00 -0400, William wrote:

Hi all,

While doing my routine patches and scans, "chkrootkit reported the following:

(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)

I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem?

By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.

At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.

If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?