Discussion:
chkrootkit false positive for bindshell ?
(too old to reply)
Gary
2005-12-14 16:55:05 UTC
Permalink
Hello,

I'm using mandriva 2006.

Checking the log of chkrootkit-0.45-2mdk (of yesterday evening) I noticed :

Checking `bindshell'... INFECTED (PORTS: 1008)

I don't know how it could be installed except by a program I installed
yesterday (chkrootkit of the day before yesterday is clean of bindshell
infection). I update my system everyday. I use firestarter which allow
sshd for only a specific ip (my brother's one) All the other ports are
droped.

This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.

Was it a false positive ? How to check ? Would it be enought to restore
my 11-day-old-partimage ghost (/home is on another partition) ?

Thanks for help.

Gary
EricT
2005-12-14 22:04:01 UTC
Permalink
Post by Gary
Checking `bindshell'... INFECTED (PORTS: 1008)
I don't know how it could be installed except by a program I installed
yesterday (chkrootkit of the day before yesterday is clean of bindshell
infection). I update my system everyday. I use firestarter which allow
sshd for only a specific ip (my brother's one) All the other ports are
droped.
This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.
In my opinion you should take the system off the net.

I do not think, chkrootkit will report an incident, if there is none.
Consider that the intruder has done his work perfectly and therefore
chkrootkit is not reporting anymore.

If you have another system connected to it, try a portscan `nmap -P0
-Ss` or even better a complete nessus scan and compare the output with
the one of `netstat -tupan` of the affected one. It will point out open
ports of the system, in two different views (manipulated by the rootkit
and open ports seen from outside).

Maybe the other system has been infected as well, so you will need a
clean system or a live CD with these tools installed to perform the checks.

If you cannot find any differnces, it still possible that there's no
server running but a process which will connect to a specific ip right
after your external connection is established. There are several ways to
monitor this traffic, but it will need another system or switch between
the affected system and the external router/modem.
Post by Gary
Was it a false positive ? How to check ? Would it be enought to restore
my 11-day-old-partimage ghost (/home is on another partition) ?
I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.

greetz,
Eric
Moe Trin
2005-12-15 19:55:08 UTC
Permalink
On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
Post by EricT
Post by Gary
Checking `bindshell'... INFECTED (PORTS: 1008)
This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.
In my opinion you should take the system off the net.
In my opinion you should loose those windoze wannabe tools.
Post by EricT
I do not think, chkrootkit will report an incident, if there is none.
Point your news reader at 'alt.os.linux.mandrake' (or alt.os.linux.mandriva
if your news server carries it), for this same thread. The problem was
chkrootkit making a false assumption as usual - this was a rpc.statd
running.

I also responded in that group, and noted that the chkrootkit script is
doing a netstat -an | egrep "^tcp.*LIST|^udp" | egrep "[.:]1008[^0-9.:]"
and barfed when it found something listening on port 1008 WITHOUT BOTHERING
TO INVESTIGATE FURTHER.

People use these crappy scripts without taking the time to READ what the
script is looking for. These are just scripts, and are interpretable into
non-technical language without a lot of effort.
Post by EricT
Consider that the intruder has done his work perfectly and therefore
chkrootkit is not reporting anymore.
'chkrootkit', and the similar 'rkhunter' look for signs of problems that
were seen in the past. The check for the '55808.A Worm' looks for files
named '/tmp/.../a' or '/tmp/.../r'. If the rootkit author has changed the
filename to '/tmp/.../A' or '/tmp/.../b' for example, the script will not
detect anything. That is worse than worthless.
Post by EricT
Post by Gary
Would it be enought to restore my 11-day-old-partimage ghost (/home is
on another partition) ?
I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.
Norton "Ghost" is a windoze tool to make an image backup. Think of using
the 'dd' command to copy a partition to another drive or media.

Old guy
Gary
2005-12-16 08:32:32 UTC
Permalink
Post by Moe Trin
On Wed, 14 Dec 2005, in the Usenet newsgroup comp.os.linux.security, in article
Post by EricT
Post by Gary
Would it be enought to restore my 11-day-old-partimage ghost (/home is
on another partition) ?
I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.
Norton "Ghost" is a windoze tool to make an image backup. Think of using
the 'dd' command to copy a partition to another drive or media.
There's also g4l (ghost for linux) and partimage which make ghosts of a
partition. partimage has the great advantage not to copy empty blocs but
just the used-space, and it is very fast compared to others (4Go in 5
minutes :)) But partimage needs the partition-to-ghost to be unmounted,
so I make mdv06 ghosts from opensuse and vice-versa.

Bye
Gary
EricT
2005-12-14 22:19:10 UTC
Permalink
Post by Gary
Checking `bindshell'... INFECTED (PORTS: 1008)
I don't know how it could be installed except by a program I installed
yesterday (chkrootkit of the day before yesterday is clean of bindshell
infection). I update my system everyday. I use firestarter which allow
sshd for only a specific ip (my brother's one) All the other ports are
droped.
This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.
In my opinion you should take the system off the net.

I do not think, chkrootkit will report an incident, if there is none.
Consider that the intruder has done his work perfectly and therefore
chkrootkit is not reporting anymore.

If you have another system connected to it, try a portscan `nmap -P0
-sS` or even better a complete nessus scan and compare the output with
the one of `netstat -tupan` of the affected one. It will point out open
ports of the system, in two different views (manipulated by the rootkit
and open ports seen from outside).

Maybe the other system has been infected as well, so you will need a
clean system or a live CD with these tools installed to perform the checks.

If you cannot find any differnces, it still possible that there's no
server running but a process which will connect to a specific ip right
after your external connection is established. There are several ways to
monitor this traffic, but it will need another system or switch between
the affected system and the external router/modem.
Post by Gary
Was it a false positive ? How to check ? Would it be enought to restore
my 11-day-old-partimage ghost (/home is on another partition) ?
I am not sure, but assuming the intruder can manipulate everything on
the system, it probably wouldn't help. However i do not know what a
ghost image is like.

greetz,
Eric
EricT
2005-12-14 22:27:00 UTC
Permalink
Post by Gary
Hello,
I'm using mandriva 2006.
Checking `bindshell'... INFECTED (PORTS: 1008)
I don't know how it could be installed except by a program I installed
yesterday (chkrootkit of the day before yesterday is clean of bindshell
infection). I update my system everyday. I use firestarter which allow
sshd for only a specific ip (my brother's one) All the other ports are
droped.
This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.
Was it a false positive ? How to check ? Would it be enought to restore
my 11-day-old-partimage ghost (/home is on another partition) ?
Thanks for help.
Gary
check these out first, found a lot of false alarms:
http://www.google.com/linux?hl=en&lr=&ie=ISO-8859-1&q=%60bindshell%27...+INFECTED+%28PORTS%3A++1008%29&btnG=Search

greetz,
Eric
Gary
2005-12-15 06:08:57 UTC
Permalink
Post by EricT
Post by Gary
Hello,
I'm using mandriva 2006.
Checking `bindshell'... INFECTED (PORTS: 1008)
This morning, chkrootkit doesn't recognize bindshell infection. rkhunter
(as yesterday) doesn't tell me anything. I removed and re-installed
chrootkit and still no infection.
Was it a false positive ? How to check ? Would it be enought to restore
my 11-day-old-partimage ghost (/home is on another partition) ?
http://www.google.com/linux?hl=en&lr=&ie=ISO-8859-1&q=%60bindshell%27...+INFECTED+%28PORTS%3A++1008%29&btnG=Search
Thanks.
a***@gmail.com
2005-12-18 17:46:20 UTC
Permalink
If you are running the portsentry daemon, it can generate false
positives in chkrootkit, since the portsentry essentially acts as a
honeypot, blocking users who attempt to use backdoors to access the
system. Just reconfigure portsentry so that it doesnt bind to ports
checked by chkrootkit.

Jeff
Gary
2005-12-18 19:34:47 UTC
Permalink
Post by a***@gmail.com
If you are running the portsentry daemon, it can generate false
positives in chkrootkit, since the portsentry essentially acts as a
honeypot, blocking users who attempt to use backdoors to access the
system. Just reconfigure portsentry so that it doesnt bind to ports
checked by chkrootkit.
Thanks, in fact it was rpc.statd which was using port 1008 (random port)
and detected.
++
Gary

Loading...