Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread Tanstaafl
On 12/4/2009 7:09 PM, unsp...@hushmail.com wrote: Warning: Network TCP port 2006 is being used by /usr/sbin/couriertls. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server Netstat -tulnap shows a whole bunch of similar connections open, so I think this is normal? Question then is why

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread John Horne
On Sat, 2009-12-05 at 10:22 -0500, Tanstaafl wrote: Again - is there anything special about port 2006 that makes rkhunter single it out? Yes, it is known to be used by the CB and w00tkit rootkits. That's why RKH is warning you about it. You can either whitelist the port itself

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread Tanstaafl
On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote: Again - is there anything special about port 2006 that makes rkhunter single it out? Yes, it is known to be used by the CB and w00tkit rootkits. That's why RKH is warning you about it. Ah, ok, now that makes sense. Thinking about

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread John Horne
On Sat, 2009-12-05 at 12:10 -0500, Tanstaafl wrote: On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote: Again - is there anything special about port 2006 that makes rkhunter single it out? Yes, it is known to be used by the CB and w00tkit rootkits. That's why RKH is warning you

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread John Horne
On Sat, 2009-12-05 at 17:45 +, John Horne wrote: PORT_WHITELIST=couriertls TCP:2006 gpg:7701 Whoops! That is not valid, but was something I was thinking about. It is not possible to whitelist an application using a specific port.

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread Tanstaafl
On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote: You can either whitelist the port itself (PORT_WHITELIST=TCP:2006), or whitelist a particular application to use known bad ports (PORT_WHITELIST=couriertls). Ok, after a really bizarre ritual called 'reading the comments', I

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-05 Thread John Horne
On Sat, 2009-12-05 at 13:03 -0500, Tanstaafl wrote: On 12/5/2009, John Horne (john.ho...@plymouth.ac.uk) wrote: You can either whitelist the port itself (PORT_WHITELIST=TCP:2006), or whitelist a particular application to use known bad ports (PORT_WHITELIST=couriertls). Ok, after a really

Re: [Rkhunter-users] Weird timing - possible rootkit?

2009-12-04 Thread unspawn
On Fri, 04 Dec 2009 18:57:43 +0100 Tanstaafl tanstaafl+rkhun...@libertytrek.org wrote: Warning: Network TCP port 2006 is being used by /usr/sbin/couriertls. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server Netstat -tulnap shows a whole bunch of similar connections open, so I think