On Mon, 2009-03-09 at 11:19 +0100, Jan Iven wrote: > trying to trace some spurious false positives (hopefully..), it looks to > me that rkhunter will also warn for a "bad" port being chosen for > outgoing connections (which to my understanding is usually done > automatically by the system, i.e. rather random, so eventually will lead > to false positives). > Could somebody from the developers please confirm that this is > intentional, and explain the reasoning? > > I would guess that backdoors would usually be in "LISTEN" state in order > to be dangerous. Not sure about an already-connected backdoor that > hasn't called accept() again.. but even here, perhaps a distinction > could be made based on whether this is outgoing or incoming? > Hello,
There is a known bug with the ports test in that it can give false-positives due to a lack of checking whether the connection is in- or out-going. You can do some whitelisting of the ports if you look in the configuration file. I regularly receive false-positives from this test, and have had to whitelist several port numbers and processes. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001 ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
