Hello,

I have recently used rootkit and noticed the following message:


Checking `bindshell'... INFECTED (PORTS: 465)

I don't beleive this is normal. Does anyone have any advise on what steps to take? I have checked system logs for discrepencies but do not know what else to do.

I am looking into installing tripwire, but am unsure how well this works with cpanel installed (and as I understand it, tripwire should be installed on a clean system).

Any help would be greatly appreciated.

I hope it was chkrootkit that you installed, and not a rootkit. :)

chkrootkit just checks to see if anything is listening on port 465. In this case, the program that it's seeing is Exim, which is waiting for SMTP-over-SSL connections.

So yes, you should still install tripwire or some similar program, but no, bindshell isn't listening on port 465 on your cPanel server.

Actually, someone has been spamming off the machine. They are sending out a very illegal email that tries to get people's credit card information through ebay fraud.

I really want to get this guy nailed, I have alot of information on him..

Their spamming has nothing to do with port 465. How are they spamming, are they using formmail or do they have an account on your server?

- Matt

Someone has been placing files in random accounts. Two different accounts have been exploited and have had mail.php scripts placed in them.

They are putting in their own formmail

BTW..

The files are placed in by root inside the cgi-bin directory.

fireform,

if the files are owned by root, your server has been compromised. back up (non-executable) data, request an OS restore, secure the machine and restore backups.

paul

Originally posted by rusko
fireform,

if the files are owned by root, your server has been compromised. back up (non-executable) data, request an OS restore, secure the machine and restore backups.

paul
You should also change your root pw ASAP, and after your server is reinstalled, make a really long password with lowercase and uppercase letters, numbers, and possibly symbols such as %,$,#,@,!,&,*,^,(,) and anything else that your keyboard has.

- Matt

Originally posted by fireform90
Someone has been placing files in random accounts. Two different accounts have been exploited and have had mail.php scripts placed in them.

They are putting in their own formmail
I don't know if this would be useful, but I believe there is a program called "Report FormMail' which monitors your server for formmail usage. After you get your server restored, you might want to do a search and install this program as a way to keep track.

However, if your spammer is really installing 'formmail.pl' and not some other name, then tripwire will give you eacn night an email reporting files which have changed. If you watch that daily report or grep it for 'formmail' that would also monitor on your behalf.

It's a known issue if you are running Portsentry. Are you? If you are running cpanel, you are running Portsentry.

sprintserve, what's a known issue? The copy of portsentry that cPanel installed here is only listening on TCP ports 1 and 111.

Originally posted by dan_erat
sprintserve, what's a known issue? The copy of portsentry that cPanel installed here is only listening on TCP ports 1 and 111.

What build?

Originally posted by sprintserve
It's a known issue if you are running Portsentry. Are you? If you are running cpanel, you are running Portsentry.

That is correct.

fireform90, the latest stable version (7.4.2-STABLE_82).