msgbartop
A chronological documentation test project, nothing serious, really!
msgbarbottom

10 Feb 2008 chkrootkit: false positive on port 465

Posted by

On my Debian Etch server I’ve got Zimbra Open Source Edition mail solution installed and when I use chkrootkit to scan for rootkits it reports the following

Checking `bindshell'... INFECTED (PORTS:  465)

After a quick research I realized that this port 465 is SMTP over SSL on a Zimbra installation.
Further investigation reveals that port 465 is run by

# fuser -vn tcp 465

                     USER        PID ACCESS COMMAND
465/tcp:             root      19053 F.... master

And then I checked pid 19053

# ps aux|grep 19053
root     19053  0.0  0.2   6628  1236 ?        Ss   Feb09   0:00 /opt/zimbra/postfix-2.4.3.4z/libexec/master

This tells me that the postfix daemon is running on port 465 and obviously chkrootkit is giving me a false positive.

Tags: , , , ,

Comments are closed.