Bindshell infected on port 465

hello, this is a base system and if i run the first time the chkrootkit I receive this error mesage, NEW: INFECTED (PORTS: 465)

netstat -an|grep 465 tcp 0 0* LISTEN unix 3 [ ] STREAM CONNECTED 88465

lsof -P -n -i | grep 465 master 31859 root 16u IPv4 88461 0t0 TCP *:465 (LISTEN)

netstat -apn | grep 465 tcp 0 0* LISTEN 31859/master unix 3 [ ] STREAM CONNECTED 88465 31859/master



So was this system a fresh Debian 6 install from CD, or was it created using Cloudmin?

It looks like port 465 is being used for Postfix ..

it is an fresh Debian 6 install fron cd and install virtualmin fron script, when i stop postfix not detect the WARN

So I think this warning about port 465 is a false positive. Which rootkit checker are you running?

chkrootkit, it is interesant I have another srever it is configured with ispconfig and ther not detect this warning message.

ok, I checked previous in google this message and I see but on another system not appair this warning, is not posible on virtualmin this process run root, and on another systen run postfix? sorry for my english.

It's normal for the Postfix process known as "master" to run as root.

That is the case on the three systems I just checked, Debian, Ubuntu, and CentOS -- the "master" process runs as root on each of them.

However, the Postfix children processes do indeed run as the "postfix" user.