> -----Original Message-----
> From: [EMAIL PROTECTED]@CPR
> Sent: Wednesday, September 19, 2001 5:35 AM
> To: [EMAIL PROTECTED]
> Subject: [cobalt-security] bindshell INFECTED PORTS 1524 31337
>
>
> can anyone tell me what going on here, i'm kinda worried :(
>
> just ran the chkrootkit and it warns me:#
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> I checked through Portsentry/Logcheck reports and came across:
>
> Sep 17 19:32:55 server portsentry[5423]: attackalert: Connect from
host: 62-36-148-15.dialup.uni2.es/62.36.148.15 to UDP port: 31337
> Sep 17 19:32:55 server portsentry[5423]: attackalert: Ignoring UDP
response per configuration file setting.
>
> I'm a bit stumped, how do I figure out if its a false alarm or whether
i have been comprimised (has anyone heard of exploits using those
ports). I guess its been ignored because 31337 is not in my list of
ports to monitor.
>
> Any feedback is much appreciated
>
> Paul Milne
> Digit Limited
>
Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false positive on
the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp,
1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp,
27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp,
47889/tcp, 60001/tcp).
Curtis Ross
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
