I was earlier wondering if rkhunter was warning me of a malicious bug or problem with portsentry.
It seems that it bases it's possible rootkit backdoors on ports being scanned or listened to even
if by another security auditing program, installed by the user. It not being able to determine the
difference between a scan or listen by a legitimate program, than one by a malicious code seems like
the simpliest explanation. Portsentry is supposed to find if ports are being scanned, or if connections
are being made on network ports defined in it's configuration file, then it's supposed to send the
receiving connection to the firewall or block it through another way. It's an attack detection tool.
Thank you for your input.
The only way these could be False Positives is if those three ports are
not actually in use. The warnings all say Possible
and your testing confirms that they are in use, so why would you think
they are?
and your testing confirms that they are in use, so why would you think
they are?
Since you seem to have confirmed that PortSentry does use this ports =
then you should either ignore the warnings or whitelist those ports. =
The latter will then partially disable checks for those three actual =
rootkits. I don't know anything about PortSentry, but hopefully =
that would provide adequate protection against those rootkits.
then you should either ignore the warnings or whitelist those ports. =
The latter will then partially disable checks for those three actual =
rootkits. I don't know anything about PortSentry, but hopefully =
that would provide adequate protection against those rootkits.
-Al-
On Fri, Apr 15, 2016 at 02:09 PM, Sid Yy wrote:
> When portsentry is running, it seems to cause false positives for =""> rkhunter.
>=20
> When portsentry is running, rkhunterlog displays:
>=20
> > [14:49:53] Checking for TCP port 1524 [ Found ]
> > [14:49:53] Warning: Network TCP port 1524 is being used. Possible =
rootkit: Possible FreeBSD (FBRK) Rootkit backdoor
> > [14:49:54] Checking for TCP port 6667 [ Found ]
> > [14:49:54] Warning: Network TCP port 6667 is being used. Possible =
rootkit: Possible rogue IRC bot
> > [14:49:54] Checking for TCP port 31337 [ Found ]
> > [14:49:54] Warning: Network TCP port 31337 is being used. Possible =
rootkit: Historical backdoor port
> > Use the 'lsof -i' or 'netstat -an' command to check this.
> > [xx:xx:xx] Possible rootkits: 3
>=20
> When I run netstat -an and grep for each setting it shows:
> > tcp4 0 0 *.1524 *.* LISTEN
> > tcp4 0 0 *.6667 *.* LISTEN
> > tcp4 0 0 *.31337 *.* LISTEN
>=20
> sockstat -46 only shows portsentry under each of these TCP ports.
>=20
> I think it's a false positive, when TCP are added and removed from =
/usr/local/etc/portsentry.conf, rkhunter finds different possible =
rootkits. I'm not completely sure, but I want to bring the rkhunter and =
portsentry interaction to attention. Informed opinions appreciated. If =
it matters, this is on FreeBSD 10.3. Thank you.
> When portsentry is running, it seems to cause false positives for =""> rkhunter.
>=20
> When portsentry is running, rkhunterlog displays:
>=20
> > [14:49:53] Checking for TCP port 1524 [ Found ]
> > [14:49:53] Warning: Network TCP port 1524 is being used. Possible =
rootkit: Possible FreeBSD (FBRK) Rootkit backdoor
> > [14:49:54] Checking for TCP port 6667 [ Found ]
> > [14:49:54] Warning: Network TCP port 6667 is being used. Possible =
rootkit: Possible rogue IRC bot
> > [14:49:54] Checking for TCP port 31337 [ Found ]
> > [14:49:54] Warning: Network TCP port 31337 is being used. Possible =
rootkit: Historical backdoor port
> > Use the 'lsof -i' or 'netstat -an' command to check this.
> > [xx:xx:xx] Possible rootkits: 3
>=20
> When I run netstat -an and grep for each setting it shows:
> > tcp4 0 0 *.1524 *.* LISTEN
> > tcp4 0 0 *.6667 *.* LISTEN
> > tcp4 0 0 *.31337 *.* LISTEN
>=20
> sockstat -46 only shows portsentry under each of these TCP ports.
>=20
> I think it's a false positive, when TCP are added and removed from =
/usr/local/etc/portsentry.conf, rkhunter finds different possible =
rootkits. I'm not completely sure, but I want to bring the rkhunter and =
portsentry interaction to attention. Informed opinions appreciated. If =
it matters, this is on FreeBSD 10.3. Thank you.
-Al-
--=20
Al Varnell
Mountain View, CA
--=20
Al Varnell
Mountain View, CA
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
