Hi, Ok, first time I've seen this...
My last run this morning was clean. I run courier-imap (working on replacing with dovecot) with couriertls, and I just tried adding the --nocolor option and reran my cronjob, and got a Warning about a possible rootkit: Warning: Network TCP port 2006 is being used by /usr/sbin/couriertls. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server Netstat -tulnap shows a whole bunch of similar connections open, so I think this is normal? Question then is why does it think this one is a rootkit? Here is a small sample from the netstat output (including the suspect process): tcp6 0 0 192.168.1.252:993 192.168.1.110:26015 ESTABLISHED25736/couriertls tcp6 0 0 192.168.1.252:993 192.168.1.21:3111 ESTABLISHED16518/couriertls tcp6 0 0 192.168.1.252:993 192.168.1.59:2006 ESTABLISHED13916/couriertls tcp6 0 0 192.168.1.252:993 192.168.1.68:2094 ESTABLISHED16610/couriertls tcp6 0 0 192.168.1.252:993 166.137.5.180:33976 ESTABLISHED16278/couriertls So - is there something special about port 2006? -- Best regards, Charles ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
