unsp...@hushmail.com: > <mar...@malkusch.de> wrote: > >> Might it be possible that rkhunter would even alert if somebody >> would talk to my smbd with the source port 2006? > > I don't remember changes between 1.3.4 and 1.3.6 (current) but in > the latter, checking /path/to/rkhunter around line 8504, will show > RKH only looks at connections using the port on the local host.
I still didn't figure out the reason for this warning. There might be a rootkit, which I still didn't discover. Might it also be possible that rkh would alert if the smbd process itself acts as a client with a connection to another server where the arbitrary local port might be the port 2006? This would be a false positive. RKH should only alert on connections in the LISTEN state. Markus ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
