F21: infection reported by "chkrootkit".
William
mattison.computer at yahoo.com
Tue Jul 28 21:37:21 UTC 2015
On 07/28/2015 01:55 PM, William wrote:
> Good afternoon,
>
> On 07/23/2015 02:56 PM, William wrote:
>> Hi all,
>>
>> While doing my routine patches and scans, "chkrootkit reported the
>> following:
>>
>> (*** snip ***)
>> Checking `asp'... not infected
>> Checking `bindshell'... warning, got bogus l2cap line.
>> warning, got bogus l2cap line.
>> (*** snip ***)
>> warning, got bogus l2cap line.
>> INFECTED (PORTS: 3133)
>> Checking `lkm'... chkproc: nothing detected
>> (*** snip ***)
>>
>> I ran "rkhunter" immediately after the "chkrootkit" run finished, and
>> it reported no problems. How do I determine if this is a false alarm
>> or a real problem? If this is a real problem, what should I do about
>> it? Also, as I'm neither a security expert nor a sysadmin, what is
>> port 3133 used for?
>>
>> thanks,
>> Bill.
>
> I realized a lot later that I also should have mentioned that the
> "chkrootkit" run was shortly after doing "yum update", "prelink -a",
> and rebooting. I don't know if that's significant.
>
> > By examining the chkrootkit program -- it's a large shell script with
> > a few helper tools -- to understand what it does to perform a check.
>
> ??? I looked at that long sh script. It didn't help. I don't see
> how knowing that chkrootkit uses "netstat" to check a port tells me
> whether or not I have a real problem. I don't understand what it
> means that a port is infected. I am a home user stuck doing his own
> sysadmin and security with no training or experience in these things.
>
> Do I have a security problem? If yes, how do I fix it?
>
> > At http://bugz.fedoraproject.org/chkrootkit somebody has looked into
> > the l2cap warning before.
>
> Thank-you.
>
> thanks,
> Bill.
> I'm not sure why you're using prelink, but if you're worried about
> security you might consider adding -r to the command.
Some time ago, I was getting a lot of warnings from "rkhunter". Both
John Horne (of "rkhunter" fame) and the "rkhunter" warnings suggested I
do a "prelink -a" after doing "yum update", but before running
"rkhunter". It worked. So I always run "prelink -a" after doing "yum
update" and before doing "chkrootkit" and "rkhunter".
The "-r" option requires an address. What address should I provide?
Did you mean "-R" or "-r"?
thanks,
Bill.
More information about the users
mailing list