Oliver Elphick <olly@lfix.co.uk> writes: tags 351221 + wontfix
thanks for the report. > The cfsd daemon (from package cfs) runs on localhost:3049. This gives a > false positive in the bindshell test. > > Workaround: > $OPT=-anp > netstat $OPT | ... | grep -v '127\.0\.0\.1:3049.*/cfsd' unfortunately, because of the current design of chkrootkit, the workaround above would lead to false negatives which is worse than false positives. 3049 is both a well known bindshell port and the cfsd port. as such, it'd be smart for a bindshell prog to name itself cfsd to escape detection by the above workaround. upstream has made it clear that workarounds like this are unacceptable for the current design of chkrootkit, ie, "this is a feature, not a bug." cfs is listed in /usr/share/doc/chkrootkit/README.FALSE-POSITIVES thanks. -l -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
