Rick Stevens
Tue, 05 Jan 2010 14:56:54 -0800
On 01/05/2010 01:19 PM, Bill Davidsen wrote:
Frank Murphy (Frankly3D) wrote:On 05/01/10 11:06, Andrew Haley wrote:On 01/05/2010 10:54 AM, Frank Murphy (Frankly3D) wrote:---------------------- Start Rootkit Hunter Scan ---------------------- Warning: Network TCP port 47107 is being used by /usr/lib64/thunderbird-3.0/thunderbird-bin. Possible rootkit: T0rn Use the 'lsof -i' or 'netstat -an' command to check this. Results of lsof -i' and 'netstat -an' http://fpaste.org/xOOO/Port 47107 isn't being used any more. This was just TCP using a random unreserved port. Andrew.Basically ignore this in future, with that port?Absolutely not! If you ever get it again check it again. Learn how to do that, lsof is not rocket science.
"netstat -lpn" will show you which program is listening on which port (assuming netstat wasn't compromised in a rootkit). When you install a system, ALWAYS put copies of programs like ps, lsof, netstat, ls, lsattr, chattr, rkhunter (and any other forensic tools you can think of) and their required libraries on a thumbdrive or some other removable media BEFORE you connect the machine to the internet. You then have pristine copies of the tools you may need to find a rootkit. It's saved many an arse in the past. Believe me. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ri...@nerd.com - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - grasshopotomaus: A creature that can leap to tremendous heights... - - ...once. - ---------------------------------------------------------------------- -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines