On Fri, 04 Dec 2009 18:57:43 +0100 Tanstaafl <tanstaafl+rkhun...@libertytrek.org> wrote: >Warning: Network TCP port 2006 is being used by /usr/sbin/couriertls. >Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server > >Netstat -tulnap shows a whole bunch of similar connections open, so I >think this is normal? Question then is why does it think this one is a >rootkit? > >Here is a small sample from the netstat output (including the >suspect process):
>tcp6 0 0 192.168.1.252:993 192.168.1.59:2006 ESTABLISHED13916/couriertls >So - is there something special about port 2006? If you are have verified the machine is clean, meaning no process or file traces of CB or w00tkit have been found, then this is a false postive and you could whitelist the port using the PORT_WHITELIST configuration option. Regards, unSpawn --- ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users