Checking `bindshell'... INFECTED (PORTS: 465)

did a chkrootkit on a new server that i have and got that.

Is 465 used by cpanel at all?

I noticed no rogue accounts in /etc/passwd

So much for linux being virus free...

Sorry I cant give you a direct answer, but right now, assuming the server is in use. I would A. close services and see if it goes away. B. search google for possible common programs that use the port, or if its only used by a virri. Thats the best advice I can give you. And if you want a secure box, use freebsd :)

Well ive read that portsentry can be the cuase, which i have on my system but i dont see running via top, as i havent really configured it yet.

I connected to the port n dont see anything, anyone know if Cpanel uses this for something?

I dont see anyone connecting to the port, havent seen that for the past 2 days or so.

If it's running on 465 that's a low port - under 1024 - which are restricted to root. I'd say the system is "owned" - yank it and rebuild.


http://www.iss.net/security_center/static/5179.php

backdoor-uucico-bindshell (5179) High Risk

Bind shell backdoor listens on TCP 33270
Description:


A backdoor program that is associated with the Trinity distributed denial of service (DDoS) tool listens on TCP port 33270 (by default), awaiting an attacker's connection. Once connected, the attacker can issue a preconfigured password to open a shell running with root uid privileges. This backdoor has been observed running on many hosts infected with the Trinity DDoS agent.


Platforms Affected:
Linux: All Versions


Remedy:


If this backdoor is found on a system, the computer should be considered completely compromised, and it should be removed from any network or Internet connectivity. The compromised computer may be needed for forensics purposes.

Because the computer may also be infected with the Trinity DDoS agent, it is necessary to completely re-install the operating system.