On Friday 24 March 2006 05:38 am, Paul Kölle wrote: > 王 鹏辉 wrote: > > Hello, list, > > > > Recently, i found that my emails server has sent out mess spam emails by > > some strange account from [EMAIL PROTECTED] I run chkrootkit then found that > > > > bindshell INFECTED (PORTS: 465) > > Me too. AFAIK it's a false positive. This is stated in a chkrootkit FAQ > whose URL slipped out of my memory but I found it by google.
I can verify this as it has been a false positive for me in the past. I would highly recommend, before passing it off as a false positive, check to see what is listening on this port. I've heard that Exim uses this, and PortSentry does as well. "netstat -nap --ip" should show it. Also, you may use "lsof | grep TCP". If you find a suspect file, script, or program, (or if you suspect your 'netstat' and 'lsof' binaries contain rootkits) try running: equery belongs <path to file> This should tell you to which package it belongs. Then to verify that it is the same file that was installed, you can try: equery check <package that was listed above> Since you are having spam issues, I would recommend looking into seeing if your mail server is an open relay. Here are a few ways to test this: http://www.spamhelp.org/shopenrelay/ http://www.abuse.net/relay.html This one has a list of links pertaining to ways you can test for open relay: http://www.linux-sec.net/Mail/OpenRelay/ Hope this helps! Robert Larson -- [email protected] mailing list
