| 1 |
Robert Larson wrote: |
| 2 |
|
| 3 |
>On Friday 24 March 2006 05:38 am, Paul Kölle wrote: |
| 4 |
> |
| 5 |
> |
| 6 |
>>王 鹏辉 wrote: |
| 7 |
>> |
| 8 |
>> |
| 9 |
>>>Hello, list, |
| 10 |
>>> |
| 11 |
>>>Recently, i found that my emails server has sent out mess spam emails by |
| 12 |
>>>some strange account from xxx@×××××.com. I run chkrootkit then found that |
| 13 |
>>> |
| 14 |
>>>bindshell INFECTED (PORTS: 465) |
| 15 |
>>> |
| 16 |
>>> |
| 17 |
>>Me too. AFAIK it's a false positive. This is stated in a chkrootkit FAQ |
| 18 |
>>whose URL slipped out of my memory but I found it by google. |
| 19 |
>> |
| 20 |
>> |
| 21 |
> |
| 22 |
>I can verify this as it has been a false positive for me in the past. I would |
| 23 |
>highly recommend, before passing it off as a false positive, check to see |
| 24 |
>what is listening on this port. I've heard that Exim uses this, and |
| 25 |
>PortSentry does as well. "netstat -nap --ip" should show it. Also, you may |
| 26 |
>use "lsof | grep TCP". |
| 27 |
> |
| 28 |
> |
| 29 |
This is normally the port an ssl enabled mailserver listens on. |
| 30 |
netstat -ltnp shows ports with attached listeners and processids, that |
| 31 |
should get you started on figuring out what is actually listening on |
| 32 |
that port. |
| 33 |
|
| 34 |
Ramon |
| 35 |
|
| 36 |
-- |
| 37 |
To be stupid and selfish and to have good health are the three requirements for happiness, though if stupidity is lacking, the others are useless. |
| 38 |
|
| 39 |
Gustave Flaubert |
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-server@g.o mailing list |
Archives