Hi
After upgrade from Debian Squeeze til Debian Wheezy, but still running Debian Squeeze kernels
Linux dkVserver 2.6.32-5-vserver-amd64 #1 SMP Mon Sep 23 23:03:09 UTC 2013 x86_64 GNU/Linux
ii util-vserver 0.30.216-pre2864 amd64 user-space tools for Linux-VServer virtual private s
rkhunter now warns about hidden ports.
Warning: Hidden ports found:
Port number: TCP:139
Port number: TCP:2401
Port number: TCP:25
Port number: TCP:3306
Port number: TCP:35619
Port number: TCP:3690
Port number: TCP:39820
Port number: TCP:40469
Port number: TCP:41162
But netstat shows nothing
root@dkVserver:/tmp# netstat -a -p -n
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1040 0.0.0.0:* LISTEN 3308/inetd
tcp 0 0 192.168.123.219:22 0.0.0.0:* LISTEN 11307/sshd
tcp 0 0 192.168.123.220:22 0.0.0.0:* LISTEN 11307/sshd
tcp 0 0 192.168.123.219:22 192.168.124.17:63462 ESTABLISHED 7780/sshd: jonbendt
tcp 0 0 192.168.123.219:22 192.168.124.17:63936 ESTABLISHED 31612/sshd: jonbend
tcp 0 0 192.168.123.220:40255 192.168.123.9:3493 ESTABLISHED 3480/upsmon
tcp 0 103300 192.168.123.219:22 192.168.123.249:38231 ESTABLISHED 13710/sshd: root@no
tcp 0 0 192.168.123.220:40254 192.168.123.9:3493 ESTABLISHED 3480/upsmon
udp 0 0 192.168.123.225:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.3:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.218:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.220:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.232:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.245:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.239:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.248:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.241:123 0.0.0.0:* 3383/ntpd
udp 0 0 192.168.123.219:123 0.0.0.0:* 3383/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 3383/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 3383/ntpd
udp6 0 0 fe80::230:48ff:febe:123 :::* 3383/ntpd
udp6 0 0 fe80::230:48ff:febe:123 :::* 3383/ntpd
udp6 0 0 ::1:123 :::* 3383/ntpd
udp6 0 0 :::123 :::* 3383/ntpd
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 11 [ ] DGRAM 9647 3148/rsyslogd /dev/log
unix 2 [ ACC ] SEQPACKET LISTENING 4546 941/udevd /run/udev/control
unix 2 [ ] DGRAM 16744189 7016/sudo
unix 2 [ ] DGRAM 16744186 7016/sudo
unix 3 [ ] STREAM CONNECTED 16736746 31612/sshd: jonbend
unix 3 [ ] STREAM CONNECTED 16736745 31871/0
unix 2 [ ] DGRAM 16736744 31612/sshd: jonbend
unix 2 [ ] DGRAM 16084282 7875/sudo
unix 2 [ ] DGRAM 16084279 7875/sudo
unix 3 [ ] STREAM CONNECTED 16084158 7780/sshd: jonbendt
unix 3 [ ] STREAM CONNECTED 16084157 7784/1
unix 2 [ ] DGRAM 16084156 7780/sshd: jonbendt
unix 2 [ ] DGRAM 2535205 13710/sshd: root@no
unix 2 [ ] DGRAM 17968 5521/login
unix 2 [ ] DGRAM 9991 3480/upsmon
unix 2 [ ] DGRAM 9979 3478/upsmon
unix 2 [ ] DGRAM 9817 3383/ntpd
unix 3 [ ] DGRAM 4553 941/udevd
unix 3 [ ] DGRAM 4552 941/udevd
root@dkVserver:/tmp#
I have no firewalls
root@dkVserver:/tmp# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@dkVserver:/tmp# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@dkVserver:/tmp#
root@dkVserver:/tmp# ifconfig
eth0 Link encap:Ethernet HWaddr 00:30:48:be:d3:48
inet addr:192.168.123.219 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:febe:d348/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:17630380 errors:0 dropped:0 overruns:0 frame:0
TX packets:195781630 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3540039829 (3.2 GiB) TX bytes:250631589145 (233.4 GiB)
Interrupt:17 Memory:fdae0000-fdb00000
eth1 Link encap:Ethernet HWaddr 00:30:48:be:d3:49
inet addr:192.168.123.220 Bcast:192.168.123.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:febe:d349/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:182495083 errors:2 dropped:0 overruns:0 frame:2
TX packets:311134770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:23293032621 (21.6 GiB) TX bytes:441373993794 (411.0 GiB)
Interrupt:18 Memory:fdbe0000-fdc00000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:34266 errors:0 dropped:0 overruns:0 frame:0
TX packets:34266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7049817 (6.7 MiB) TX bytes:7049817 (6.7 MiB)
And the worst part of the problem is that the open ports changes :-(
root@dkVserver:/tmp# diff rkhunter--check.1382604945 rkhunter--check.1382605001
21c21
< Port number: TCP:54668
--- > Port number: TCP:54671 root@dkVserver:/tmp# diff rkhunter--check.1382604945 rkhunter--check.1382605186 8,9c8,11 < Port number: TCP:40407 < Port number: TCP:41099 --- > Port number: TCP:39820 > Port number: TCP:40469 > Port number: TCP:41162 > Port number: TCP:41627 10a13 > Port number: TCP:42991 12a16 > Port number: TCP:44264 19c23 < Port number: TCP:52358 --- > Port number: TCP:52419 21c25 < Port number: TCP:54668 --- > Port number: TCP:54707 23,24c27,28 < Port number: TCP:56228 < Port number: TCP:56954 --- > Port number: TCP:56291 > Port number: TCP:60814 So I cant even whitelist them. JonBReceived on Thu Oct 24 10:05:24 2013