Current time: 11-26-2024, 04:23 PM Hello There, Guest! (LoginRegister)


Post Reply 
Rootkit Log
Author Message
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #1
Rootkit Log
I installed ispcp latest build 4 days ago and was checking my rootkit log and I found this. Can anybody give me clues on whether this is a major risk?

I followed only the standard install, so it's strange how I was infected so quickly?

Quote:[00:03:08] WARNING, found: /dev/.static (directory) /dev/.udev (directory) /dev/.initramfs (directory)
---
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed

Anybody can give their opinion on this?
(This post was last modified: 01-04-2008 03:38 PM by BioALIEN.)
01-04-2008 03:35 PM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #2
RE: Rootkit Log
We discuss this in the German Corner.
This is no Problem or Warning. SMTPS for Postfix is running on this Port 465 and it is OK. No one has a Problem with it - just RootKit Log.

Greez BeNe
01-04-2008 04:39 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BioALIEN Offline
Public Relations Officer
*****
Dev Team

Posts: 620
Joined: Feb 2007
Reputation: 5
Post: #3
RE: Rootkit Log
Hmm so its a false alarm? That's a major relief to know. Thanks for the response BeNe!
01-04-2008 05:20 PM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #4
RE: Rootkit Log
Yeah if you want so it is a false alarm!
If you do not use SMTPS - disable it in Postfix and this wrong Warning/Error is gone. That´s all. Wink

Greez BeNe
01-04-2008 06:16 PM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #5
RE: Rootkit Log
why isn't it 587? that's odd
01-05-2008 04:02 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #6
RE: Rootkit Log
Port 587 is not secure / normal SMTP and 465 is SMTPS or not ?

Greez BeNe
01-05-2008 04:47 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #7
RE: Rootkit Log
SMTPS is 465, the so called "submit service" is on Port 587 and this is more and more used by providers to provide a "smtp with auth" for customers.
(Yeah, I know: smtp with auth is also possible on port 25 - I think the advantage could be: Port 587 is *only* for the own customers -> always and only with smtp auth, and port 25 (and 465???) is *only* for other mail servers -> no smtp auth but with all sort of spam/virus checks... (blacklists).

/Joximu
01-05-2008 06:48 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #8
RE: Rootkit Log
usually SMTP+TLS is on 587, not 465; port 25 is SMTP. AUTH is usually allowed at both ports, no discrimination neither on one nor the other
01-07-2008 03:50 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #9
RE: Rootkit Log
Ok thanks Raphael.
So, Port 465 is *only* used if you want to use SMTP with *SSL* (SMTPS)
And this is not (yet) very common (well, I use it on one server :-)

/J
01-07-2008 04:28 AM
Visit this user's website Find all posts by this user Quote this message in a reply
fulltilt Offline
Member
***

Posts: 1,225
Joined: Apr 2007
Reputation: 5
Post: #10
RE: Rootkit Log
i found this also today on a strato server:
Code:
Checking `sniffer'... lo: not promisc and no packet sniffer sockets
eth0: PACKET SNIFFER(/sbin/dhcpcd-bin[1709])
(This post was last modified: 02-04-2008 11:05 PM by fulltilt.)
02-04-2008 11:04 PM
Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)