[ubuntu-in] chkrootkit - Checking `bindshell'.. INFECTED (PORTS: 4000)
Ramnarayan.K
ramnarayan.k at gmail.com
Fri Mar 4 06:19:56 UTC 2011
Some time back i had posted the not so nice results of chkrootkit
and found this suspicious programme listening in on port 4000 it was
called beagled and i thought it was some sarcastic malware type having
fun alike saying you "screxxd or your beagled"
so i found no solution to it and use to kill the beagled sessions every day
today i just ran man beagled and this is what i found
"NAME
beagled - the Beagle desktop search daemon"
so it seems either beagled is doing something nasty or i got a false positive
**
top posting in case people are interested, my orignal mail is below
regards
ram
On Sat, Jan 22, 2011 at 9:09 AM, Ramnarayan.K <ramnarayan.k at gmail.com> wrote:
> Hi
>
> Following an article of chkrootkit i tried it and found some disturbing results
>
> The original article is here
> http://www.linuxjournal.com/content/hacking-old-school
>
> Quote
> "With the standard install on my Ubuntu box, chkrootkit has 69
> available tests."
> endquote
>
> After this i tried chkrootkit and found
>
>
> Searching for anomalies in shell history files... Warning:
> `//home/ram/.kino-history' is linked to another file
>
> Checking `bindshell'... INFECTED
> (PORTS: 4000)
>
>
> what does this INFECTED mean ?? and what would linked to another file
> imply (am assuming the kino anomaly is less important)
>
> after searching and asking a friend for some help i tried to
>
>
> m-laptop:~$ sudo netstat -pant|grep 4000
> [sudo] password for ram:
> tcp 0 0 0.0.0.0:4000 0.0.0.0:*
> LISTEN 2485/beagled
>
> so is beagle the file tracker doing all this or is beagled a linux
> adjective here
>
> **
> I uninstalled beagle but still get the same message
>
> **
> the searching the web the only similar page i came across was
> http://ubuntuforums.org/showthread.php?t=746700
> and following that tried various commands to see what is wrong, if at all
>
> m-laptop:~$ nmap -P0 localhost
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2011-01-22 08:48 IST
> Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
> Interesting ports on localhost (127.0.0.1):
> Not shown: 994 closed ports
> PORT STATE SERVICE
> 631/tcp open ipp
> 4000/tcp open remoteanything
> 5800/tcp open vnc-http
> 5900/tcp open vnc
> 9050/tcp open tor-socks
> 50001/tcp open unknown
>
> where again Port 4000/tcp says remoteanything ???
>
> *
> then ran other tests as below
>
> m-laptop:~$ sudo netstat -an | grep 4000
> tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN
>
> *
> m-laptop:~$ sudo lsof | grep 4000
> lsof: WARNING: can't stat() fuse.gvfs-fuse-daemon file system /home/ram/.gvfs
> Output information may be incomplete.
> beagled 2485 ram 16u IPv4 12298 0t0
> TCP *:4000 (LISTEN)
>
> which yet again shows the same thing
>
> Last in the article below there is a mention of port 4000 in the
> context of beagle, though am not sure if this is relevant much
> http://blog.rogersoles.com/2010/07/06/technology/ubuntu-desktop-search/
>
> ***
> would appreciate figuring out what is wrong and why this port 4000
> INFECTED thingy is happening
> ram
>
More information about the ubuntu-in
mailing list