Chkrootkit warning about infected port 600

Question

I run the Tiger Automatic Auditor on my Debian Linux system, and recently got emailed the following:

# Running chkrootkit (/usr/sbin/chkrootkit) to perform further checks...
OLD: --ALERT-- [rootkit005a] Chkrootkit has found a file which seems to be infected because of a rootkit
OLD: --ALERT-- [rootkit009a] A rootkit seems to be installed in the system
OLD: INFECTED (PORTS: 600)

I immediately ran chkrootkit manually, and didn't see any warnings or unusual results. How can I tell whether this was a false positive?

score 4 · Accepted Answer · answered Sep 02 '11 at 17:04

4

I checked, and nothing was running on port 600 later on. Poking around more it sounds like this is a false positive due to randomly chosen ports for rpc.statd.

answered Sep 02 '11 at 17:04

jrdioko

860
1
9
18

score 1 · Answer 2 · answered Sep 01 '11 at 00:45

The first thing I would do is see what is running on port 600.

netstat --all --numeric-ports --program |grep 600

Assuming there is something, google to see if anyone else has reported false positives or had any issues with the software. If not, start checking your other logs to see if there is any evidence of intrusion.

Chkrootkit warning about infected port 600

2 Answers2