First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 65635
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Aaron Walker (RETIRED) <ka0ttic@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Susie Edgeworth <mistatengwar@hotmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 65635 depends on: Show dependency tree
Bug 65635 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2004-09-27 22:44 0000 
chkrootkit gives a false positive if running portsentry for ports

aka it gives the below:

Checking `bindshell'... INFECTED (PORTS:  1524 31337)

Stopping portsentry removes that error.  But I suggest the ebuild have a warning added so that people running port sentry are aware of this.  It also gives an error for sniffer if people run dhcpd.  

Reproducible: Always
Steps to Reproduce:

------- Comment #1 From Daniel Black 2004-09-28 02:07:42 0000 ------- 
is there a way of configuring chrootkit to ignore scanning those ports?

------- Comment #2 From Aaron Walker (RETIRED) 2004-09-28 09:05:26 0000 ------- 
This is actually a chkrootkit FAQ[1].  I've added some einfo's that display a
warning and point to the chkrootkit FAQ, as well as a few other minor ebuild
changes (good timing on this bug report, as I was about to commit them when I
saw your bug ;p).

[1] http://www.chkrootkit.org/

------- Comment #3 From Susie Edgeworth 2004-09-28 23:43:09 0000 ------- 
http://www.chkrootkit.org/ scrolling down there I see:

7. I'm running PortSentry/klaxon. What's wrong with the bindshell test? 

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).


Unfortunately it doesn't give any solutions.  Alot of people might be startled as I was to see that false positive and not realize it was false.  Luckily another pointed it to me but obviously thats quite a port range it can give false positives for.  Which is why I suggest just adding the ewarn flag or something to the ebuild.  Then it will beep and put text in yellow warning people that run portsentry.

------- Comment #4 From Susie Edgeworth 2004-09-28 23:47:03 0000 ------- 
Oops just looked down and saw your other comment.  I have been having some
weirdness with fetchyahoo since that upgrade.(no biggie really but just going
through a pile in that inbox of stuff now)  And replied to the other post
before it via the email link.

Thanks for the new editions to the files.  I went on a security hunt on my
system before finding out it was a false positive.  Nothing like flu induced
brain fog and a security false positive at the same time. :P
First Last Prev Next    No search results available      Search page      Enter new bug