Comment 1 Daniel Black (RETIRED) 2004-09-28 02:07:42 UTC

is there a way of configuring chrootkit to ignore scanning those ports?

Comment 2 Aaron Walker (RETIRED) 2004-09-28 09:05:26 UTC

This is actually a chkrootkit FAQ[1].  I've added some einfo's that display a warning and point to the chkrootkit FAQ, as well as a few other minor ebuild changes (good timing on this bug report, as I was about to commit them when I saw your bug ;p).

[1] http://www.chkrootkit.org/

http://www.chkrootkit.org/ scrolling down there I see:

7. I'm running PortSentry/klaxon. What's wrong with the bindshell test? 

If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp, 1999/tcp, 3879/tcp, 4369/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp, 27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp, 47889/tcp, 60001/tcp).


Unfortunately it doesn't give any solutions.  Alot of people might be startled as I was to see that false positive and not realize it was false.  Luckily another pointed it to me but obviously thats quite a port range it can give false positives for.  Which is why I suggest just adding the ewarn flag or something to the ebuild.  Then it will beep and put text in yellow warning people that run portsentry.

Oops just looked down and saw your other comment.  I have been having some weirdness with fetchyahoo since that upgrade.(no biggie really but just going through a pile in that inbox of stuff now)  And replied to the other post before it via the email link.

Thanks for the new editions to the files.  I went on a security hunt on my system before finding out it was a false positive.  Nothing like flu induced brain fog and a security false positive at the same time. :P