[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: F12 Rkhunter, Have I a rootkit?



On 01/05/2010 01:19 PM, Bill Davidsen wrote:
Frank Murphy (Frankly3D) wrote:
On 05/01/10 11:06, Andrew Haley wrote:
On 01/05/2010 10:54 AM, Frank Murphy (Frankly3D) wrote:
---------------------- Start Rootkit Hunter Scan ----------------------
Warning: Network TCP port 47107 is being used by
/usr/lib64/thunderbird-3.0/thunderbird-bin. Possible rootkit: T0rn
Use the 'lsof -i' or 'netstat -an' command to check this.


Results of lsof -i' and 'netstat -an'
http://fpaste.org/xOOO/
Port 47107 isn't being used any more. This was just TCP using a random
unreserved port.

Andrew.


Basically ignore this in future, with that port?

Absolutely not! If you ever get it again check it again. Learn how to do
that, lsof is not rocket science.

"netstat -lpn" will show you which program is listening on which port
(assuming netstat wasn't compromised in a rootkit).

When you install a system, ALWAYS put copies of programs like ps, lsof,
netstat, ls, lsattr, chattr, rkhunter (and any other forensic tools you
can think of) and their required libraries on a thumbdrive or some other
removable media BEFORE you connect the machine to the internet.  You
then have pristine copies of the tools you may need to find a rootkit.

It's saved many an arse in the past.  Believe me.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks nerd com -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
- grasshopotomaus: A creature that can leap to tremendous heights... -
-                                                ...once.            -
----------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]