On Fri, 04 Dec 2009 18:57:43 +0100 Tanstaafl 
<tanstaafl+rkhun...@libertytrek.org> wrote:
>Warning: Network TCP port 2006 is being used by 
/usr/sbin/couriertls.
>Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server
>
>Netstat -tulnap shows a whole bunch of similar connections open, 
so I
>think this is normal? Question then is why does it think this one 
is a
>rootkit?
>
>Here is a small sample from the netstat output (including the 
>suspect process):

>tcp6       0      0 192.168.1.252:993       192.168.1.59:2006 
ESTABLISHED13916/couriertls

>So - is there something special about port 2006?


If you are have verified the machine is clean, meaning no process 
or file traces of CB or w00tkit have been found, then this is a 
false postive and you could whitelist the port using the 
PORT_WHITELIST configuration option.


Regards,
unSpawn
---


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to