Just installed chkrootkit on our (relatively) new Debian Squeeze server and run it. Wasn’t expecting anything sind rkhunter reported everything was fine. But it did indeed report something:
# chkrootkit
…
Checking `bindshell’… INFECTED (PORTS: 465)
…
So checking what’s running on port 465:
# netstat -pan | grep “:465 ”
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8325/master
tcp6 0 0 :::465 :::* LISTEN 8325/master
Since I wasn’t too sure what this master was:
# ps -F -p 8325
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 8325 1 0 9292 2404 6 Apr14 ? 00:00:17 /usr/lib/postfix/master
There it is, it’s nothing to worry about, just postfix…
So if a mailserver is running tls on port 465, chkrootkit wrongfully identifies bindshell.
If you stop postfix and rerun chkrootkit, nothing is reported:
# service postfix stop
Stopping Postfix Mail Transport Agent: postfix.
# chkrootkit | grep INFECTED
# service postfix start
Starting Postfix Mail Transport Agent: postfix.
Thanks for this, it was very informative.
Great work, keep it up.
thanks again.
Hello Henri,
I have a similar situation but its on Exim so I substituted postfix with exim, but
its still showing/
Checking `bindshell’… INFECTED (PORTS: 465)
the [root@server1 /]#/root/chkrootkit-0.49/chkrootkit
ROOTDIR is `/’
Checking `amd’… not found
Checking `basename’… not infected
Checking `biff’… not found
Checking `chfn’… not infected
Checking `chsh’… not infected
Checking `cron’… not infected
Checking `crontab’… not infected
Checking `date’… not infected
Checking `du’… not infected
Checking `dirname’… not infected
Checking `echo’… not infected
Checking `egrep’… not infected
Checking `env’… not infected
Checking `find’… not infected
Checking `fingerd’… not found
Checking `gpm’… not infected
Checking `grep’… not infected
Checking `hdparm’… not infected
Checking `su’… not infected
Checking `ifconfig’… not infected
Checking `inetd’… not tested
Checking `inetdconf’… not found
Checking `identd’… not found
Checking `init’… not infected
Checking `killall’… not infected
Checking `ldsopreload’… can’t exec ./strings-static, not tested
Checking `login’… not infected
Checking `ls’… not infected
Checking `lsof’… not infected
Checking `mail’… not found
Checking `mingetty’… not infected
Checking `netstat’… not infected
Checking `named’… not infected
Checking `passwd’… not infected
Checking `pidof’… not infected
Checking `pop2’… not found
Checking `pop3’… not found
Checking `ps’… not infected
Checking `pstree’… not infected
Checking `rpcinfo’… not infected
Checking `rlogind’… not found
Checking `rshd’… not found
Checking `slogin’… not infected
Checking `sendmail’… not infected
Checking `sshd’… not infected
Checking `syslogd’… not infected
Checking `tar’… not infected
Checking `tcpd’… not infected
Checking `tcpdump’… not infected
Checking `top’… not infected
Checking `telnetd’… not found
Checking `timed’… not found
Checking `traceroute’… not infected
Checking `vdir’… not infected
Checking `w’… not infected
Checking `write’… not infected
Checking `aliens’… no suspect files
Searching for sniffer’s logs, it may take a while… nothing found
Searching for HiDrootkit’s default dir… nothing found
Searching for t0rn’s default files and dirs… nothing found
Searching for t0rn’s v8 defaults… nothing found
Searching for Lion Worm default files and dirs… nothing found
Searching for RSHA’s default files and dir… nothing found
Searching for RH-Sharpe’s default files… nothing found
Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
Searching for suspicious files and dirs, it may take a while…
/usr/lib/php/.lock /usr/lib/php/.depdblock /usr/lib/php/.filemap /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.depdb /usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/python2.4/config/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac
/usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net
Searching for LPD Worm files and dirs… nothing found
Searching for Ramen Worm files and dirs… nothing found
Searching for Maniac files and dirs… nothing found
Searching for RK17 files and dirs… nothing found
Searching for Ducoci rootkit… nothing found
Searching for Adore Worm… nothing found
Searching for ShitC Worm… nothing found
Searching for Omega Worm… nothing found
Searching for Sadmind/IIS Worm… nothing found
Searching for MonKit… nothing found
Searching for Showtee… nothing found
Searching for OpticKit… nothing found
Searching for T.R.K… nothing found
Searching for Mithra… nothing found
Searching for LOC rootkit… nothing found
Searching for Romanian rootkit… nothing found
Searching for HKRK rootkit… nothing found
Searching for Suckit rootkit… nothing found
Searching for Volc rootkit… nothing found
Searching for Gold2 rootkit… nothing found
Searching for TC2 Worm default files and dirs… nothing found
Searching for Anonoying rootkit default files and dirs… nothing found
Searching for ZK rootkit default files and dirs… nothing found
Searching for ShKit rootkit default files and dirs… nothing found
Searching for AjaKit rootkit default files and dirs… nothing found
Searching for zaRwT rootkit default files and dirs… nothing found
Searching for Madalin rootkit default files… nothing found
Searching for Fu rootkit default files… nothing found
Searching for ESRK rootkit default files… nothing found
Searching for rootedoor… nothing found
Searching for ENYELKM rootkit default files… nothing found
Searching for common ssh-scanners default files… nothing found
Searching for suspect PHP files… nothing found
Searching for anomalies in shell history files… nothing found
Checking `asp’… not infected
Checking `bindshell’… INFECTED (PORTS: 465)
Checking `lkm’… not tested: can’t exec
Checking `rexedcs’… not found
Checking `sniffer’… not tested: can’t exec ./ifpromisc
Checking `w55808’… not infected
Checking `wted’… not tested: can’t exec ./chkwtmp
Checking `scalper’… not infected
Checking `slapper’… not infected
Checking `z2’… not tested: can’t exec ./chklastlog
Checking `chkutmp’… not tested: can’t exec ./chkutmp
Checking `OSX_RSPLUG’… not infected
[root@server1 /]#
When I did:
#netstat -pan | grep “:465 ”
tcp 0 0 0.0.0.0:465 0.0.0.0:* LIST EN 2257/exim
tcp 0 0 :::465 :::* LIST EN 2257/exim
]#ps -F -p 2257
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
mailnull 2257 1 0 14768 1308 0 Feb26 ? 00:00:00 /usr/sbin/exim -bd -q1h
[root@server1 /]#service exim stop
Shutting down exim: [ OK ]
Shutting down spamd: [ OK ]
#/root/chkrootkit-0.49/chkrootkit | grep INFECTED
Checking `bindshell’… INFECTED (PORTS: 465)
Does it mean I have been compromised?
Great blog by the way.
Michael
Hi Michael,
You should repeat the following after stopping exim to check whether exim is really stopped and whether another program took over port 465.
Henri
Thanks
really good information
for me i got this
root@host1 [~]# netstat -pan | grep “:465 ”
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 441449/exim
tcp 0 0 :::465 :::* LISTEN 441449/exim
it’s normal but i also got some problems with CBL
Yes, this happens with both postfix and exim. Actually it probably affects pretty much everyone using chkrootkit and having a mail server running. As long as netstat shows a process you know about and is actually supposed to use port 465, everything is fine.