On Mon, 09 May 2011 14:56:46 +0200 Andy Clyde - OMN Hosting <andy.cl...@omnhosting.co.uk> wrote:
>rkhunter started reported this just over a week ago: >Warning: Hidden ports found: > Port number: 42208 > Port number: 55731 > >I downloaded and ran chkrootkit and that showed nothing. Chkrootkit, which hasn't been updated in a while AFAIK anway, doesn't look at ports the way Rootkit Hunter does. The do_network_hidden_port_checks() function uses 'tcp-unhide' which tries to bind to all ports accessible in an attempt to find if one is in use. >We can't see any evidence of any processes running that are using those >ports. Is this a FP? Any ideas of what else to try/where else to look? Ephemeral ports are often used by transient processes meaning that if you can't investigate in real time you do not really stand a chance unless you had syscall (bind?), local firewall, network connection table (or parent routing device?) logging enabled. Best regards, unSpawn --- ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users