(I hope top-posting is acceptable on the list). I, too, am having "issues" with hidden ports, and have been trying to figure out whether I'm at risk or not. So, this is a timely and necessary topic of discussion, IMHO.
I just ran "nc -l [portnumber]" on one of my machines, and got the output "nc: Address already in use". Is it time for an oh, oh moment? Dimitri On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: > Hi Vicent, > > As developer of Unhide I will try to help you. > > First, to discover if it is a false positive or not, you can > try to bind in this ports using necat > > nc -l 900 > > nc -l 895 > > If you can bind nc to this ports, probably could be a false > positive so in the next mail you can send me (or to the list if > you wish to make public the information) the output of > > ifconfig -a > > Thanks ! > > 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: > > Hi > > > > running rkhunter 1.3.8 on Linux. > > > > I'm seeing warnings from unhide (version 20080519), eg > > > > Warning: Hidden ports found: > > Port number: 45812 > > Port number: 895 > > Port number: 900 > > > > and wondering what to do about them. > > Repeated runs of unhide-tcp show that only the last two ports > > above are persistent. > > > > There's not a lot of information to go on in the output above > > and the unhide manpages are ... terse. > > > > tcpdumping while running unhide doesn't show any activity on > > the ports above. It's not even clear which interface unhide > > is referring to - lo or eth0. I'm assuming eth0. > > > > Any advice would be helpful. > > Cheers > > Vince > > > > ------------------------------------------------------------- > >----------------- Got Input? Slashdot Needs You. > > Take our quick survey online. Come on, we don't ask for help > > often. Plus, you'll get a chance to win $100 to spend on > > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > > _______________________________________________ > > Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > --------------------------------------------------------------- >--------------- Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help > often. Plus, you'll get a chance to win $100 to spend on > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
