Hi Brian,
> Port 31337 is likely just a false positive from Portsentry
I'm not so sure. When Chkrootkit says "bindshell", then this info is pretty
accurate. Chkrootkit never complains about Portsentry.
This is from the chkrootkit website:
___________________
"I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp)."
__________________
Of course the only way to know for sure it to shut off PortSentry and then rerun chkrootkit. Simple enough process. I would think this would be a good first test before going hacker hunting.
Good luck. I hope for your sake it turn out to be only Portsentry.
BTW, Michael, thanks for your informative post on LSOF and other hacker detection techniques. I printed that one out, highlighted it and put it in my Server Admin binder. Thanks!
Brian
