Bindshell infected on port 465

Submitted by rubenzsolt on Thu, 06/07/2012 - 04:11

hello, this is a base system and if i run the first time the chkrootkit I receive this error mesage, NEW: INFECTED (PORTS: 465)

netstat -an|grep 465 tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN unix 3 [ ] STREAM CONNECTED 88465

lsof -P -n -i | grep 465 master 31859 root 16u IPv4 88461 0t0 TCP *:465 (LISTEN)

netstat -apn | grep 465 tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 31859/master unix 3 [ ] STREAM CONNECTED 88465 31859/master

Status: 
Active

Comments

Submitted by JamieCameron on Thu, 06/07/2012 - 05:34

So was this system a fresh Debian 6 install from CD, or was it created using Cloudmin?

It looks like port 465 is being used for Postfix ..

Submitted by rubenzsolt on Thu, 06/07/2012 - 05:49

it is an fresh Debian 6 install fron cd and install virtualmin fron script, when i stop postfix not detect the WARN

Submitted by JamieCameron on Thu, 06/07/2012 - 06:08

So I think this warning about port 465 is a false positive. Which rootkit checker are you running?

Submitted by rubenzsolt on Thu, 06/07/2012 - 06:10

chkrootkit, it is interesant I have another srever it is configured with ispconfig and ther not detect this warning message.

Submitted by rubenzsolt on Thu, 06/07/2012 - 07:35

ok, I checked previous in google this message and I see but on another system not appair this warning, is not posible on virtualmin this process run root, and on another systen run postfix? sorry for my english.

Submitted by andreychek on Thu, 06/07/2012 - 08:57

It's normal for the Postfix process known as "master" to run as root.

That is the case on the three systems I just checked, Debian, Ubuntu, and CentOS -- the "master" process runs as root on each of them.

However, the Postfix children processes do indeed run as the "postfix" user.