chkrootkit warning "Checking `bindshell'... INFECTED (PORTS: 60001)"

[bubba]

I get the following warning from chkrootkit (http://www.chkrootkit.org/):

Checking `bindshell'... INFECTED (PORTS: 60001)

Now from their site:

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).

However, I didn't setup portsentry. These are RedHat 7.3 machines. I am wondering if this is still a false positive and that something else is binding itself to port 60001. Does anyone have any insight into this, or am I just screwed???

 

[n0cmonkey]

Ok... Are these production machines? Are they all doing this? This is tough to do without being there personaally and knowing all the facts

You can try downloading lsof and trying to get that to work to see what is binding to that port. Best case scenario would be to make an image of the drive, mount the drive in another machine ro, and look around that way... But its also tough to do. So try lsof and see if that shows what process is binding to that port.

 

[bubba]

Ahhhhh *whew*!!!

sinfod is using that port. That is a very nice top-style utility for all my cluster machines. I can run that and see what is running on every machine in all the clusters. Thank god it is just that!