On 12/4/2009 7:09 PM, [email protected] wrote: >> Warning: Network TCP port 2006 is being used by >> /usr/sbin/couriertls. >> Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server >> >> Netstat -tulnap shows a whole bunch of similar connections open, so >> I think this is normal? Question then is why does it think this one >> is a rootkit? >> >> Here is a small sample from the netstat output (including the >> suspect process): >> >> tcp6 0 0 192.168.1.252:993 192.168.1.59:2006 >> ESTABLISHED13916/couriertls >> >> So - is there something special about port 2006?
> If you are have verified the machine is clean, meaning no process > or file traces of CB or w00tkit have been found, Any suggestions for how to go about doing that would be appreciated. I am not a forensics expert, so I wouldn't really know how to go about checking further - thats why I'm running rkhunter... ;) > then this is a false postive and you could whitelist the port using > the PORT_WHITELIST configuration option. But that doesn't answer my question. There are HUNDREDS of those kinds of connections, each one on a different port - am I supposed to whitelist them all if rkhunter picks another one to flag? Again - is there anything special about port 2006 that makes rkhunter single it out? That particular process is obviously benign, at least to me. Thanks, and I do appreciate your response... -- Best regards, Charles ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
