[ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
[Press <ENTER> to continue]
System checks summary
File properties checks...
Files checked: 139
Suspect files: 0
Rootkits checked : 246
Possible rootkits: 0
All checks skipped
The system checks took: 5 minutes and 33 seconds
All results have been written to the log file (/var/log/rkhunter.log)
So next, I started chkrootkit to get a second scan result:
seiler@server:/# sudo chkrootkit
The output seemed okay, until I recognized the following possible infection in bindshell:
Checking `bindshell'... INFECTED (PORTS: 465)
So I tried to get more information about this mysterious process running on port 465:
seiler@server:/# sudo fuser -vn tcp 465
BEN. PID ZUGR. BEFEHL
465/tcp: root 961 F.... master
The process „master“ doesn´t meant anything to me in the first stage, to I searched in my services:
seiler@server:/# sudo grep 465 /etc/services
ssmtp 465/tcp smtps # SMTP over SSL
So in fact, it should be the SMTP server running.
seiler@server:/# sudo netstat -antup
tcp6 0 0 :::465 :::* LISTEN 961/master
Netstat is also telling me, that a process „master“ is listening with the PID 961 on that port.
seiler@server:/# sudo lsof -i :465
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 961 root 116u IPv4 154909 0t0 TCP *:ssmtp (LISTEN)
master 961 root 117u IPv6 154910 0t0 TCP *:ssmtp (LISTEN)
The process was started as user „root“ and is listening both for IPv4 an IPv6.
seiler@server:/# sudo ps -F -p 961
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 961 1 0 1133 1428 0 14:53 ? 00:00:00 /usr/lib/postfix/master
And the details to process 961 told me, it is just the postfix master server running there.
So nothing to be curious about.
So be alerted, but not nervous or afraid when a root kit hunter is reporting a supposed malicious process during the check.
It might just be a false positive…
I will nevertheless from now on run these two checks every night through cron.