Good afternoon,
On 07/23/2015 02:56 PM, William wrote:
Hi all,
While doing my routine patches and scans, "chkrootkit reported the following:
(*** snip ***) Checking `asp'... not infected Checking `bindshell'... warning, got bogus l2cap line. warning, got bogus l2cap line. (*** snip ***) warning, got bogus l2cap line. INFECTED (PORTS: 3133) Checking `lkm'... chkproc: nothing detected (*** snip ***)
I ran "rkhunter" immediately after the "chkrootkit" run finished, and it reported no problems. How do I determine if this is a false alarm or a real problem? If this is a real problem, what should I do about it? Also, as I'm neither a security expert nor a sysadmin, what is port 3133 used for?
thanks, Bill.
I realized a lot later that I also should have mentioned that the "chkrootkit" run was shortly after doing "yum update", "prelink -a", and rebooting. I don't know if that's significant.
By examining the chkrootkit program -- it's a large shell script with a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how knowing that chkrootkit uses "netstat" to check a port tells me whether or not I have a real problem. I don't understand what it means that a port is infected. I am a home user stuck doing his own sysadmin and security with no training or experience in these things.
Do I have a security problem? If yes, how do I fix it?
At http://bugz.fedoraproject.org/chkrootkit somebody has looked into the l2cap warning before.
Thank-you.
thanks, Bill.