As one of my Ubuntu root servers was rebooted today without my interaction I checked all of them for root kits with both rkhunter and chkrootkit.
I started with the installation of rkhunter and chkrootkit with apt-get on the command prompt:
seiler@server:/# sudo apt-get install chkrootkit rkhunter
After that, I ran an update to the rkhunter database,
seiler@server:/# sudo rkhunter --propupd --update
followed by invoking the deep system scan with rkhunter:
seiler@server:/# sudo rkhunter -c
Everything seemed fine, as the following output states:
Checking system commands...
Performing 'strings' command checks
Checking 'strings' command
[ OK ]
Performing 'shared libraries' checks
Checking for preloading variables [ None found ]
Checking for preloaded libraries [ None found ]
Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks
[...]
[Press <ENTER> to continue]
System checks summary
=====================
File properties checks...
Files checked: 139
Suspect files: 0
Rootkit checks...
Rootkits checked : 246
Possible rootkits: 0
Applications checks...
All checks skipped
The system checks took: 5 minutes and 33 seconds
All results have been written to the log file (/var/log/rkhunter.log)
So next, I started chkrootkit to get a second scan result:
seiler@server:/# sudo chkrootkit
The output seemed okay, until I recognized the following possible infection in bindshell:
Checking `bindshell'... INFECTED (PORTS: 465)
So I tried to get more information about this mysterious process running on port 465:
seiler@server:/# sudo fuser -vn tcp 465
BEN. PID ZUGR. BEFEHL
465/tcp: root 961 F.... master
The process „master“ doesn´t meant anything to me in the first stage, to I searched in my services:
seiler@server:/# sudo grep 465 /etc/services
ssmtp 465/tcp smtps # SMTP over SSL
So in fact, it should be the SMTP server running.
seiler@server:/# sudo netstat -antup
tcp6 0 0 :::465 :::* LISTEN 961/master
Netstat is also telling me, that a process „master“ is listening with the PID 961 on that port.
seiler@server:/# sudo lsof -i :465
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
master 961 root 116u IPv4 154909 0t0 TCP *:ssmtp (LISTEN)
master 961 root 117u IPv6 154910 0t0 TCP *:ssmtp (LISTEN)
The process was started as user „root“ and is listening both for IPv4 an IPv6.
seiler@server:/# sudo ps -F -p 961
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 961 1 0 1133 1428 0 14:53 ? 00:00:00 /usr/lib/postfix/master
And the details to process 961 told me, it is just the postfix master server running there.
So nothing to be curious about.
So be alerted, but not nervous or afraid when a root kit hunter is reporting a supposed malicious process during the check.
It might just be a false positive…
I will nevertheless from now on run these two checks every night through cron.
[…] starting to investigate that problem I came up, that there is no root kit installed on my server, but the mail server load was distinctly above […]