Results 1 to 5 of 5
  1. #1
    Join Date
    Mar 2002
    Posts
    782

    weird security check output

    Checking `bindshell'... INFECTED (PORTS: 465)

    did a chkrootkit on a new server that i have and got that.

    Is 465 used by cpanel at all?

    I noticed no rogue accounts in /etc/passwd

  2. #2
    Join Date
    Mar 2002
    Location
    Orlando, FL
    Posts
    12,200
    So much for linux being virus free...

  3. #3
    Join Date
    Jun 2001
    Location
    Chicago, IL
    Posts
    1,953
    Sorry I cant give you a direct answer, but right now, assuming the server is in use. I would A. close services and see if it goes away. B. search google for possible common programs that use the port, or if its only used by a virri. Thats the best advice I can give you. And if you want a secure box, use freebsd
    Chicago Electronic Cigarettes: Tobacco Free, Smoke Free. 3 E-Cig Models, 11 flavors, and accessories.
    http://www.chicago-ecigs.com

  4. #4
    Join Date
    Mar 2002
    Posts
    782
    Well ive read that portsentry can be the cuase, which i have on my system but i dont see running via top, as i havent really configured it yet.

    I connected to the port n dont see anything, anyone know if Cpanel uses this for something?

    I dont see anyone connecting to the port, havent seen that for the past 2 days or so.

  5. #5
    Join Date
    Jul 2002
    Location
    The Big Easy -New Orleans
    Posts
    341
    If it's running on 465 that's a low port - under 1024 - which are restricted to root. I'd say the system is "owned" - yank it and rebuild.


    http://www.iss.net/security_center/static/5179.php

    backdoor-uucico-bindshell (5179) High Risk

    Bind shell backdoor listens on TCP 33270
    Description:


    A backdoor program that is associated with the Trinity distributed denial of service (DDoS) tool listens on TCP port 33270 (by default), awaiting an attacker's connection. Once connected, the attacker can issue a preconfigured password to open a shell running with root uid privileges. This backdoor has been observed running on many hosts infected with the Trinity DDoS agent.


    Platforms Affected:
    Linux: All Versions


    Remedy:


    If this backdoor is found on a system, the computer should be considered completely compromised, and it should be removed from any network or Internet connectivity. The compromised computer may be needed for forensics purposes.

    Because the computer may also be infected with the Trinity DDoS agent, it is necessary to completely re-install the operating system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •