On 2024-07-07 00:50:05 +0200, Vincent Lefevre wrote:
> I got the following warning:
>
> -Checking `bindshell'... not found
> +Checking `bindshell'... WARNING
> +
> +WARNING: Potential bindshell installed: infected ports: 60001
> +
>
> According to lsof, this is actually mosh-server (from the mosh Debian
> package).
chkrootkit does:
bindshell () {
PORT="114 145 465 511 600 1008 1524 1999 1978 2881 3049 3133 3879 4000 4369
5190 5665 6667 10008 12321 23132 27374 29364 30999 31336 31337 37998 45454
47017 47889 60001 7222"
OPT="-an"
[...]
for P in $PORT; do
if ${netstat} "${OPT}" | ${egrep} -q
"^(tcp.*LIST|udp).*[.:]${P}[^0-9.:]" >/dev/null 2>&1
then
PI="${PI} ${P}"
fi
done
[...]
I suggest to also use the --program option for netstat, so that
the program name is added in the output. So, instead of
udp 0 0 0.0.0.0:60001 0.0.0.0:*
one gets
udp 0 0 0.0.0.0:60001 0.0.0.0:*
16426/mosh-server
Thus it is possible to check for mosh-server in the output.
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
