Package: chkrootkit
Version: 0.58b-2
Severity: normal
/usr/lib/python3/dist-packages/ansible_collections/cyberark/conjur/usr/share/doc/chkrootkit/README.FALSE-POSITIVES.gz
says:
** use of well-known ports
Some rootkits are known to listen on common ports that are also
used by legitimate services. chkrootkit flags any such processes as
suspicious, without further investigation. Because the bindshell
rootkit listens on many ports, there can be many false positives
from this test - there are too many to list in this file, but
mosh(1) may trigger this. You can check what is running using ss(1)
or netstat(1).
but it doesn't say how to avoid the issue, e.g. how to filter the
output, which is rather complex in the case of bindshell, due to
the multiline output (and incomplete information, if one wants to
do it right).
It is difficult to regard
----
Checking `bindshell'... not found
----
and
----
Checking `bindshell'... WARNING
WARNING: Potential bindshell installed: infected ports: 60001
----
as equivalent with filtering.
I suppose that the right solution is to change the bindshell
parameters, e.g. using the -anp option for ss and filter the
ss output, but I could not find how: the $netstat and $OPT values
seem to be hardcoded in /sbin/chkrootkit, so that it is not
possible to override them in /etc/chkrootkit/chkrootkit.conf.
For instance, one should be able to use
{ /usr/bin/ss -anp | /usr/bin/grep -v
'^udp.*:60001[[:space:]].*"mosh-server"'; }
instead of
${netstat} "${OPT}"
-- System Information:
Debian Release: trixie/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500,
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug'),
(500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.10.11-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chkrootkit depends on:
ii libc6 2.40-3
Versions of packages chkrootkit recommends:
ii anacron 2.3-40
ii binutils 2.43.1-5
ii cron [cron-daemon] 3.0pl1-189
ii iproute2 6.10.0-2
ii mailutils [mailx] 1:3.17-2+b1
ii net-tools 2.10-1.1
ii postfix [mail-transport-agent] 3.9.0-3
ii procps 2:4.0.4-5
ii systemd-sysv 256.6-1
chkrootkit suggests no packages.
-- Configuration Files:
/etc/chkrootkit/chkrootkit.conf changed [not included]
-- no debconf information
--
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
