Checking for root kit… Dealing with false positives

As one of my Ubuntu root servers was rebooted today without my interaction I checked all of them for root kits with both rkhunter and chkrootkit.

I started with the installation of rkhunter and chkrootkit with apt-get on the command prompt:

seiler@server:/# sudo apt-get install chkrootkit rkhunter

After that, I ran an update to the rkhunter database,

seiler@server:/# sudo rkhunter --propupd --update

followed by invoking the deep system scan with rkhunter:

seiler@server:/# sudo rkhunter -c

Everything seemed fine, as the following output states:

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                               
[ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables                        [ None found ]
    Checking for preloaded libraries                         [ None found ]
    Checking LD_LIBRARY_PATH variable                        [ Not found ]

  Performing file properties checks

[...]

[Press <ENTER> to continue]



System checks summary
=====================

File properties checks...
    Files checked: 139
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 246
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 5 minutes and 33 seconds

All results have been written to the log file (/var/log/rkhunter.log)

So next, I started chkrootkit to get a second scan result:

seiler@server:/# sudo chkrootkit

The output seemed okay, until I recognized the following possible infection in bindshell:

Checking `bindshell'...          INFECTED (PORTS:  465)

So I tried to get more information about this mysterious process running on port 465:

seiler@server:/# sudo fuser -vn tcp 465
                     BEN.        PID ZUGR.  BEFEHL
465/tcp:             root        961 F.... master

The process „master“ doesn´t meant anything to me in the first stage, to I searched in my services:

seiler@server:/# sudo grep 465 /etc/services
ssmtp           465/tcp         smtps           # SMTP over SSL

So in fact, it should be the SMTP server running.

seiler@server:/# sudo netstat -antup
tcp6       0      0 :::465                  :::*                    LISTEN      961/master

Netstat is also telling me, that a process „master“ is listening with the PID 961 on that port.

seiler@server:/# sudo lsof -i :465
COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
master  961 root  116u  IPv4 154909      0t0  TCP *:ssmtp (LISTEN)
master  961 root  117u  IPv6 154910      0t0  TCP *:ssmtp (LISTEN)

The process was started as user „root“ and is listening both for IPv4 an IPv6.

seiler@server:/# sudo ps -F -p 961
UID        PID  PPID  C    SZ   RSS PSR STIME TTY          TIME CMD
root       961     1  0  1133  1428   0 14:53 ?        00:00:00 /usr/lib/postfix/master

And the details to process 961 told me, it is just the postfix master server running there.

So nothing to be curious about.

So be alerted, but not nervous or afraid when a root kit hunter is reporting a supposed malicious process during the check.
It might just be a false positive…

I will nevertheless from now on run these two checks every night through cron.