Anyone? I'm definitely more worried about this than fixing the squares in my summary report... ;)
On 12/4/2009 12:57 PM, Tanstaafl wrote: > Hi, > > Ok, first time I've seen this... > > My last run this morning was clean. > > I run courier-imap (working on replacing with dovecot) with couriertls, > and I just tried adding the --nocolor option and reran my cronjob, and > got a Warning about a possible rootkit: > > Warning: Network TCP port 2006 is being used by /usr/sbin/couriertls. > Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server > > Netstat -tulnap shows a whole bunch of similar connections open, so I > think this is normal? Question then is why does it think this one is a > rootkit? > > Here is a small sample from the netstat output (including the suspect > process): > > tcp6 0 0 192.168.1.252:993 192.168.1.110:26015 > ESTABLISHED25736/couriertls > tcp6 0 0 192.168.1.252:993 192.168.1.21:3111 > ESTABLISHED16518/couriertls > tcp6 0 0 192.168.1.252:993 192.168.1.59:2006 > ESTABLISHED13916/couriertls > tcp6 0 0 192.168.1.252:993 192.168.1.68:2094 > ESTABLISHED16610/couriertls > tcp6 0 0 192.168.1.252:993 166.137.5.180:33976 > ESTABLISHED16278/couriertls > > So - is there something special about port 2006? ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
