Hi, I regularly get a log message similar to the following on one or other of my webservers:-
<<<< The following warnings were found on this machine: [16:15:58] Warning: Network TCP port 47107 is being used by /home/redacted/perl5/perlbrew/perls/perl-5.10.1/bin/perl. Possible rootkit: T0rn [16:15:58] Checking for backdoor ports [ Warning ] >>>> I normally ignore these because the perl bit is correct - I do run perl, and I can always trace it back to an appropriate fcgi backend process. My question is this - how can perl end up running on a port > 32768 (that's the maximum on my systems) and subsequently be picked up by rkhunter as a possible rootkit ? Any info would be great as I have to justify why we are constantly getting these messages as they go against our understanding of Linux processes. Cheers, Gary
------------------------------------------------------------------------------
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
