When portsentry is running, it seems to cause false positives for rkhunter.
When portsentry is running, rkhunterlog displays:
> [14:49:53] Checking for TCP port 1524 [ Found ]
> [14:49:53] Warning: Network TCP port 1524 is being used. Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor
> [14:49:54] Checking for TCP port 6667 [ Found ]
> [14:49:54] Warning: Network TCP port 6667 is being used. Possible rootkit: Possible rogue IRC bot
> [14:49:54] Checking for TCP port 31337 [ Found ]
> [14:49:54] Warning: Network TCP port 31337 is being used. Possible rootkit: Historical backdoor port
> Use the 'lsof -i' or 'netstat -an' command to check this.
> [xx:xx:xx] Possible rootkits: 3
When I run netstat -an and grep for each setting it shows:
> tcp4 0 0 *.1524 *.* LISTEN
> tcp4 0 0 *.6667 *.* LISTEN
> tcp4 0 0 *.31337 *.* LISTEN
sockstat -46 only shows portsentry under each of these TCP ports.
I think it's a false positive, when TCP are added and removed from /usr/local/etc/portsentry.conf, rkhunter finds different possible rootkits. I'm not completely sure, but I want to bring the rkhunter and portsentry interaction to attention. Informed opinions appreciated. If it matters, this is on FreeBSD 10.3. Thank you.
When portsentry is running, rkhunterlog displays:
> [14:49:53] Checking for TCP port 1524 [ Found ]
> [14:49:53] Warning: Network TCP port 1524 is being used. Possible rootkit: Possible FreeBSD (FBRK) Rootkit backdoor
> [14:49:54] Checking for TCP port 6667 [ Found ]
> [14:49:54] Warning: Network TCP port 6667 is being used. Possible rootkit: Possible rogue IRC bot
> [14:49:54] Checking for TCP port 31337 [ Found ]
> [14:49:54] Warning: Network TCP port 31337 is being used. Possible rootkit: Historical backdoor port
> Use the 'lsof -i' or 'netstat -an' command to check this.
> [xx:xx:xx] Possible rootkits: 3
When I run netstat -an and grep for each setting it shows:
> tcp4 0 0 *.1524 *.* LISTEN
> tcp4 0 0 *.6667 *.* LISTEN
> tcp4 0 0 *.31337 *.* LISTEN
sockstat -46 only shows portsentry under each of these TCP ports.
I think it's a false positive, when TCP are added and removed from /usr/local/etc/portsentry.conf, rkhunter finds different possible rootkits. I'm not completely sure, but I want to bring the rkhunter and portsentry interaction to attention. Informed opinions appreciated. If it matters, this is on FreeBSD 10.3. Thank you.
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
