F21: infection reported by "chkrootkit".
William
mattison.computer at yahoo.com
Tue Jul 28 17:55:47 UTC 2015
Good afternoon,
On 07/23/2015 02:56 PM, William wrote:
> Hi all,
>
> While doing my routine patches and scans, "chkrootkit reported the
> following:
>
> (*** snip ***)
> Checking `asp'... not infected
> Checking `bindshell'... warning, got bogus l2cap line.
> warning, got bogus l2cap line.
> (*** snip ***)
> warning, got bogus l2cap line.
> INFECTED (PORTS: 3133)
> Checking `lkm'... chkproc: nothing detected
> (*** snip ***)
>
> I ran "rkhunter" immediately after the "chkrootkit" run finished, and
> it reported no problems. How do I determine if this is a false alarm
> or a real problem? If this is a real problem, what should I do about
> it? Also, as I'm neither a security expert nor a sysadmin, what is
> port 3133 used for?
>
> thanks,
> Bill.
I realized a lot later that I also should have mentioned that the
"chkrootkit" run was shortly after doing "yum update", "prelink -a", and
rebooting. I don't know if that's significant.
> By examining the chkrootkit program -- it's a large shell script with
> a few helper tools -- to understand what it does to perform a check.
??? I looked at that long sh script. It didn't help. I don't see how
knowing that chkrootkit uses "netstat" to check a port tells me whether
or not I have a real problem. I don't understand what it means that a
port is infected. I am a home user stuck doing his own sysadmin and
security with no training or experience in these things.
Do I have a security problem? If yes, how do I fix it?
> At http://bugz.fedoraproject.org/chkrootkit somebody has looked into
> the l2cap warning before.
Thank-you.
thanks,
Bill.
More information about the users
mailing list