Web lists-archives.com

Re: [rkhunter] coyote.coyote.den - Daily report

On 28.11.2017 07:45, Gene Heskett wrote:
On Monday 27 November 2017 17:39:45 Brian wrote:

On Mon 27 Nov 2017 at 16:56:15 -0500, Gene Heskett wrote:
On Monday 27 November 2017 15:57:34 Brian wrote:
On Mon 27 Nov 2017 at 15:46:55 -0500, Gene Heskett wrote:
On Monday 27 November 2017 14:35:17 root wrote:

Installed new firefox-esr yesterday, from the wheezy repos.
Today, rkhunter has a cow:
[rkhunter nonsense snipped]

I'd ignore it. Better still, purge rkhunter from the system. It is
renowned for giving false positives. There is no well-substantiated
account of it ever discovering anything of consequence.
Thats another possibility, I get tired of its mewling about stuff thats 
normal here. I use amanda, so yes, xinetd is in use, and other similar 
crap. I am amazed it doesn't fuss about ~/gene/bin/mailwatcher, which is 
my coupling between fetchmail and kmail.

Cheers, Gene Heskett
IMHO "ignore it and purge" is a terrible advice for anything. It is better to understand the logic behind those triggers, even if they are indeed false positive in this case.
"rkhunter" has panicked and rightfully so because it found a working process with suspicious ports in listening state. As it explained these ports were known for usage by malware, ex. 6667 could be used for IRC-bot which is used for remote control of the malware.
The name of process was "portsentry" and as stated in its package description is used for portscan detection, so it must have opened ports to "see" if there any portscans of known ports going.
Did you installed "portsentry", or should you trust "portsentry" to open ports like this, are another questions.

I don't use "rkhunter", but there is probably some mechanism to whitelist, so it won't trigger on the same things (xinetd) every time.

With kindest regards, Alexander.

⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org