1 |
Robert Larson wrote: |
2 |
|
3 |
>On Friday 24 March 2006 05:38 am, Paul Kölle wrote: |
4 |
> |
5 |
> |
6 |
>>王 鹏辉 wrote: |
7 |
>> |
8 |
>> |
9 |
>>>Hello, list, |
10 |
>>> |
11 |
>>>Recently, i found that my emails server has sent out mess spam emails by |
12 |
>>>some strange account from xxx@×××××.com. I run chkrootkit then found that |
13 |
>>> |
14 |
>>>bindshell INFECTED (PORTS: 465) |
15 |
>>> |
16 |
>>> |
17 |
>>Me too. AFAIK it's a false positive. This is stated in a chkrootkit FAQ |
18 |
>>whose URL slipped out of my memory but I found it by google. |
19 |
>> |
20 |
>> |
21 |
> |
22 |
>I can verify this as it has been a false positive for me in the past. I would |
23 |
>highly recommend, before passing it off as a false positive, check to see |
24 |
>what is listening on this port. I've heard that Exim uses this, and |
25 |
>PortSentry does as well. "netstat -nap --ip" should show it. Also, you may |
26 |
>use "lsof | grep TCP". |
27 |
> |
28 |
> |
29 |
This is normally the port an ssl enabled mailserver listens on. |
30 |
netstat -ltnp shows ports with attached listeners and processids, that |
31 |
should get you started on figuring out what is actually listening on |
32 |
that port. |
33 |
|
34 |
Ramon |
35 |
|
36 |
-- |
37 |
To be stupid and selfish and to have good health are the three requirements for happiness, though if stupidity is lacking, the others are useless. |
38 |
|
39 |
Gustave Flaubert |
40 |
|
41 |
|
42 |
|
43 |
|
44 |
-- |
45 |
gentoo-server@g.o mailing list |