F12 Rkhunter, Have I a rootkit?

Rick Stevens ricks at nerd.com
Tue Jan 5 22:50:01 UTC 2010


On 01/05/2010 01:19 PM, Bill Davidsen wrote:
> Frank Murphy (Frankly3D) wrote:
>> On 05/01/10 11:06, Andrew Haley wrote:
>>> On 01/05/2010 10:54 AM, Frank Murphy (Frankly3D) wrote:
>>>> ---------------------- Start Rootkit Hunter Scan ----------------------
>>>> Warning: Network TCP port 47107 is being used by
>>>> /usr/lib64/thunderbird-3.0/thunderbird-bin. Possible rootkit: T0rn
>>>> Use the 'lsof -i' or 'netstat -an' command to check this.
>>>>
>>>>
>>>> Results of lsof -i' and 'netstat -an'
>>>> http://fpaste.org/xOOO/
>>> Port 47107 isn't being used any more. This was just TCP using a random
>>> unreserved port.
>>>
>>> Andrew.
>>>
>>
>> Basically ignore this in future, with that port?
>>
> Absolutely not! If you ever get it again check it again. Learn how to do
> that, lsof is not rocket science.

"netstat -lpn" will show you which program is listening on which port
(assuming netstat wasn't compromised in a rootkit).

When you install a system, ALWAYS put copies of programs like ps, lsof,
netstat, ls, lsattr, chattr, rkhunter (and any other forensic tools you
can think of) and their required libraries on a thumbdrive or some other
removable media BEFORE you connect the machine to the internet.  You
then have pristine copies of the tools you may need to find a rootkit.

It's saved many an arse in the past.  Believe me.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks at nerd.com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- grasshopotomaus: A creature that can leap to tremendous heights... -
-                                                ...once.            -
----------------------------------------------------------------------




More information about the users mailing list