Hi I'm having an issue that I'm starting to think is suspicious and I'm wondering if rkhunter should have picked it up.
This is the setup. * debian jessie amd64, with backports kernel (4.9). rkhunter 1.4.2-0, rsync 3.1.1-3. * debsums is happy with the checksums of the rsync & rkhunter package files. * after boot, rsync daemon starts ok listening on 873/tcp * something seems to take over the connection so that rsync clients start failing: $ rsync localhost:: rsync: failed to connect to localhost (127.0.0.1): Connection refused (111) rsync error: error in socket IO (code 10) at clientserver.c(128) [Receiver=3.1.1] * I get similar failures connecting to the affected host's rsync service from other machines. * In netstat -an I see there is a connection to another host on port 2049 $ netstat -anp|grep 873 tcp 0 0 1.2.3.4:873 1.2.3.5:2049 ESTABLISHED - * however I can't find any associated process, using lsof, fuser or ss, nor unhide-tcp. rkhunter --check is clean. Things I tried * grubbing around in /proc/net/tcp shows the connection but did not yield any related UIDs other than 0. * I tried chasing down the inode numbers mentioned in the /proc/net/tcp entry but the system has multiple filesystems so I could use some pointers on the use of debugfs. * If I kill the connection with tcpkill, it comes back after a variable delay; the delay is a few seconds at least. * After killing the tcp connection I was able to restart rsync and get it to bind to port 873, but it gets taken over again not long after. * stracing the tcpkill process didn't yield any clues about what is taking over the connection. * tcpdumping the connection on 1.2.3.4 shows rsync traffic. Early on I was seeing headers and data, now all I seem to see is the server startup and MOTD string. Wireshark flags occasional duplicate ACKs and reused tcp ports. * tcpdumping the connection on 1.2.3.5 shows much the same. Does this sound familiar to anyone? Any ideas on what to try next? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users