Checking for root kit… Dealing with false positives

//Checking for root kit… Dealing with false positives

Checking for root kit… Dealing with false positives

As one of my Ubuntu root servers was rebooted today without my interaction I checked all of them for root kits with both rkhunter and chkrootkit.

I started with the installation of rkhunter and chkrootkit with apt-get on the command prompt:

After that, I ran an update to the rkhunter database,

followed by invoking the deep system scan with rkhunter:

Everything seemed fine, as the following output states:

So next, I started chkrootkit to get a second scan result:

The output seemed okay, until I recognized the following possible infection in bindshell:

So I tried to get more information about this mysterious process running on port 465:

The process „master“ doesn´t meant anything to me in the first stage, to I searched in my services:

So in fact, it should be the SMTP server running.

Netstat is also telling me, that a process „master“ is listening with the PID 961 on that port.

The process was started as user „root“ and is listening both for IPv4 an IPv6.

And the details to process 961 told me, it is just the postfix master server running there.

So nothing to be curious about.

So be alerted, but not nervous or afraid when a root kit hunter is reporting a supposed malicious process during the check.
It might just be a false positive…

I will nevertheless from now on run these two checks every night through cron.[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

By | 2017-01-29T10:32:32+00:00 Juli 15th, 2014|DevOps - Server and Technologies and virtualization|0 Comments

Leave A Comment