On 09/05/11 22:53, unsp...@hushmail.com wrote: > On Mon, 09 May 2011 14:56:46 +0200 Andy Clyde - OMN Hosting > <andy.cl...@omnhosting.co.uk> wrote: > >> rkhunter started reported this just over a week ago: >> Warning: Hidden ports found: >> Port number: 42208 >> Port number: 55731 >> >> I downloaded and ran chkrootkit and that showed nothing. > > Chkrootkit, which hasn't been updated in a while AFAIK anway, > doesn't look at ports the way Rootkit Hunter does. The > do_network_hidden_port_checks() function uses 'tcp-unhide' which > tries to bind to all ports accessible in an attempt to find if one > is in use. >
Ok, thanks. > >> We can't see any evidence of any processes running that are using > those >> ports. Is this a FP? Any ideas of what else to try/where else to > look? > > Ephemeral ports are often used by transient processes meaning that > if you can't investigate in real time you do not really stand a > chance unless you had syscall (bind?), local firewall, network > connection table (or parent routing device?) logging enabled. > We're seeing the same results every time we run rkhunter which suggests to me the ports aren't being used by a transient process. I've tried "netstat -an" and "lsof -i" but neither is showing any results for these port numbers. Any other ideas? Andy -- OMN hosting is a trading name of oxfordmusic.net Ltd Registered Office: Unit 13 King's Meadow, Ferry Hinksey Road, Oxford.OX2 0DP 01865 798796 Company Registration Number: 04265491 ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
