chkrootkit: false positive, bindshell INFECTED Port 465

Just installed chkrootkit on our (relatively) new Debian Squeeze server and run it. Wasn’t expecting anything sind rkhunter reported everything was fine. But it did indeed report something:

# chkrootkit

Checking `bindshell’… INFECTED (PORTS: 465)



So checking what’s running on port 465:

# netstat -pan | grep “:465 ”
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 8325/master
tcp6 0 0 :::465 :::* LISTEN 8325/master



Since I wasn’t too sure what this master was:

# ps -F -p 8325
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 8325 1 0 9292 2404 6 Apr14 ? 00:00:17 /usr/lib/postfix/master



There it is, it’s nothing to worry about, just postfix…

So if a mailserver is running tls on port 465, chkrootkit wrongfully identifies bindshell.

If you stop postfix and rerun chkrootkit, nothing is reported:

# service postfix stop
Stopping Postfix Mail Transport Agent: postfix.
# chkrootkit | grep INFECTED
# service postfix start
Starting Postfix Mail Transport Agent: postfix.

6 thoughts on “chkrootkit: false positive, bindshell INFECTED Port 465

  1. Hello Henri,

    I have a similar situation but its on Exim so I substituted postfix with exim, but
    its still showing/

    Checking `bindshell’… INFECTED (PORTS: 465)

    the [root@server1 /]#/root/chkrootkit-0.49/chkrootkit
    ROOTDIR is `/’
    Checking `amd’… not found
    Checking `basename’… not infected
    Checking `biff’… not found
    Checking `chfn’… not infected
    Checking `chsh’… not infected
    Checking `cron’… not infected
    Checking `crontab’… not infected
    Checking `date’… not infected
    Checking `du’… not infected
    Checking `dirname’… not infected
    Checking `echo’… not infected
    Checking `egrep’… not infected
    Checking `env’… not infected
    Checking `find’… not infected
    Checking `fingerd’… not found
    Checking `gpm’… not infected
    Checking `grep’… not infected
    Checking `hdparm’… not infected
    Checking `su’… not infected
    Checking `ifconfig’… not infected
    Checking `inetd’… not tested
    Checking `inetdconf’… not found
    Checking `identd’… not found
    Checking `init’… not infected
    Checking `killall’… not infected
    Checking `ldsopreload’… can’t exec ./strings-static, not tested
    Checking `login’… not infected
    Checking `ls’… not infected
    Checking `lsof’… not infected
    Checking `mail’… not found
    Checking `mingetty’… not infected
    Checking `netstat’… not infected
    Checking `named’… not infected
    Checking `passwd’… not infected
    Checking `pidof’… not infected
    Checking `pop2’… not found
    Checking `pop3’… not found
    Checking `ps’… not infected
    Checking `pstree’… not infected
    Checking `rpcinfo’… not infected
    Checking `rlogind’… not found
    Checking `rshd’… not found
    Checking `slogin’… not infected
    Checking `sendmail’… not infected
    Checking `sshd’… not infected
    Checking `syslogd’… not infected
    Checking `tar’… not infected
    Checking `tcpd’… not infected
    Checking `tcpdump’… not infected
    Checking `top’… not infected
    Checking `telnetd’… not found
    Checking `timed’… not found
    Checking `traceroute’… not infected
    Checking `vdir’… not infected
    Checking `w’… not infected
    Checking `write’… not infected
    Checking `aliens’… no suspect files
    Searching for sniffer’s logs, it may take a while… nothing found
    Searching for HiDrootkit’s default dir… nothing found
    Searching for t0rn’s default files and dirs… nothing found
    Searching for t0rn’s v8 defaults… nothing found
    Searching for Lion Worm default files and dirs… nothing found
    Searching for RSHA’s default files and dir… nothing found
    Searching for RH-Sharpe’s default files… nothing found
    Searching for Ambient’s rootkit (ark) default files and dirs… nothing found
    Searching for suspicious files and dirs, it may take a while…
    /usr/lib/php/.lock /usr/lib/php/.depdblock /usr/lib/php/.filemap /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.depdb /usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net /usr/lib/python2.4/config/.relocation-tag /usr/lib/perl5/5.8.8/i386-linux-thread-multi/.packlist /lib/.libcrypto.so.6.hmac /lib/.libcrypto.so.0.9.8e.hmac /lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac
    /usr/lib/php/.channels /usr/lib/php/.channels/.alias /usr/lib/php/.registry /usr/lib/php/.registry/.channel.doc.php.net /usr/lib/php/.registry/.channel.__uri /usr/lib/php/.registry/.channel.pecl.php.net
    Searching for LPD Worm files and dirs… nothing found
    Searching for Ramen Worm files and dirs… nothing found
    Searching for Maniac files and dirs… nothing found
    Searching for RK17 files and dirs… nothing found
    Searching for Ducoci rootkit… nothing found
    Searching for Adore Worm… nothing found
    Searching for ShitC Worm… nothing found
    Searching for Omega Worm… nothing found
    Searching for Sadmind/IIS Worm… nothing found
    Searching for MonKit… nothing found
    Searching for Showtee… nothing found
    Searching for OpticKit… nothing found
    Searching for T.R.K… nothing found
    Searching for Mithra… nothing found
    Searching for LOC rootkit… nothing found
    Searching for Romanian rootkit… nothing found
    Searching for HKRK rootkit… nothing found
    Searching for Suckit rootkit… nothing found
    Searching for Volc rootkit… nothing found
    Searching for Gold2 rootkit… nothing found
    Searching for TC2 Worm default files and dirs… nothing found
    Searching for Anonoying rootkit default files and dirs… nothing found
    Searching for ZK rootkit default files and dirs… nothing found
    Searching for ShKit rootkit default files and dirs… nothing found
    Searching for AjaKit rootkit default files and dirs… nothing found
    Searching for zaRwT rootkit default files and dirs… nothing found
    Searching for Madalin rootkit default files… nothing found
    Searching for Fu rootkit default files… nothing found
    Searching for ESRK rootkit default files… nothing found
    Searching for rootedoor… nothing found
    Searching for ENYELKM rootkit default files… nothing found
    Searching for common ssh-scanners default files… nothing found
    Searching for suspect PHP files… nothing found
    Searching for anomalies in shell history files… nothing found
    Checking `asp’… not infected
    Checking `bindshell’… INFECTED (PORTS: 465)
    Checking `lkm’… not tested: can’t exec
    Checking `rexedcs’… not found
    Checking `sniffer’… not tested: can’t exec ./ifpromisc
    Checking `w55808’… not infected
    Checking `wted’… not tested: can’t exec ./chkwtmp
    Checking `scalper’… not infected
    Checking `slapper’… not infected
    Checking `z2’… not tested: can’t exec ./chklastlog
    Checking `chkutmp’… not tested: can’t exec ./chkutmp
    Checking `OSX_RSPLUG’… not infected
    [root@server1 /]#

    When I did:

    #netstat -pan | grep “:465 ”
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LIST EN 2257/exim
    tcp 0 0 :::465 :::* LIST EN 2257/exim

    ]#ps -F -p 2257
    UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
    mailnull 2257 1 0 14768 1308 0 Feb26 ? 00:00:00 /usr/sbin/exim -bd -q1h
    [root@server1 /]#service exim stop
    Shutting down exim: [ OK ]
    Shutting down spamd: [ OK ]

    #/root/chkrootkit-0.49/chkrootkit | grep INFECTED
    Checking `bindshell’… INFECTED (PORTS: 465)

    Does it mean I have been compromised?

    Great blog by the way.

    Michael

  2. Thanks
    really good information
    for me i got this

    root@host1 [~]# netstat -pan | grep “:465 ”
    tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 441449/exim
    tcp 0 0 :::465 :::* LISTEN 441449/exim

    it’s normal but i also got some problems with CBL

    1. Yes, this happens with both postfix and exim. Actually it probably affects pretty much everyone using chkrootkit and having a mail server running. As long as netstat shows a process you know about and is actually supposed to use port 465, everything is fine.

  3. same issue with Greenbone Security Assistant

    Checking `bindshell’… INFECTED PORTS: ( 4000)

    netstat -uteplan | grep 4000
    tcp6 0 0 :::4000 :::* LISTEN 0 25362 1554/gsad
    tcp6 0 0 178.170.39.4:4000 78.240.229.114:63453 ESTABLISHED 0 636917 1554/gsad
    tcp6 0 0 178.170.39.4:4000 78.240.229.114:63452 ESTABLISHED 0 636916 1554/gsad
    tcp6 0 0 178.170.39.4:4000 78.240.229.114:63451 ESTABLISHED 0 636915 1554/gsad
    tcp6 0 0 178.170.39.4:4000 78.240.229.114:63454 ESTABLISHED 0 636918 1554/gsad

    ps -F -p 1554
    UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
    root 1554 1 0 208757 14720 1 oct.09 ? 00:00:05 /usr/sbin/gsad

Leave a Reply

Your email address will not be published. Required fields are marked *