On Tue, 2015-11-17 at 11:41 +0000, Gary Mason wrote: > The following warnings were found on this machine: > > [16:15:58] Warning: Network TCP port 47107 is being used by > /home/redacted/perl5/perlbrew/perls/perl-5.10.1/bin/perl. Possible > rootkit: T0rn > [16:15:58] Checking for backdoor ports [ Warning ] > >>>> >
> > My question is this - how can perl end up running on a port > 32768 > (that's the maximum on my systems) and subsequently be picked up by > rkhunter as a possible rootkit ? > The check uses netstat and/or lsof to find the port numbers. So I would say your system is certainly using high numbered ports. You might want to check the ephemeral port settings on your server, since they can be high numbered ports. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK ------------------------------------------------------------------------------ _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users