chkrootkit is reporting for the first time ever something "INFECTED". Rkhunter is I believe saying that all is basically well. I have been searching the interwebs all morning and to me it *appears* to be a flase positive, but I'm not at all geek enough to really know. Can you please help clear this up?? (THANKS in advance)
I'll try to be brief, but the circumstances are a bit complicated:
I have a script that runs daily via anacron, which I have running after chkrootkit and rkhunter, which checks the chkrootkit log, which I have configured to report differences day to day (that is, my script checks the logs of chkrootkit and rkhunter instead of those emailing results to me); I *THINK* that yesterday NO issues were reported, though it is possible that it reported something and I didn't see it---I'm sorry but it would be a long story to explain why that is not certain, and I'm leary of making this long winded (tell me if you want the details). *But* last night I also happened to run "Software Updater", and so after that I updated rkhunter's DB by running rkhunter --propupd.
Here I think I should interrupt this narative and show what's going on:
This from chkrootkit:
Abridged output of chkroot -x showing the only lines that contained "4000":
Checking `bindshell'... INFECTED (PORTS: 4000)
### Output of: /bin/netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:4000 0.0.0.0:*
$ sudo netstat -pan|grep 4000
udp 0 0 0.0.0.0:4000 0.0.0.0:* 3044/dhclient
$ sudo lsof -i:4000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 3044 root 20u IPv4 17802 0t0 UDP *:4000
$ ps -F -p 3044
UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
root 3044 1153 0 2548 3704 2 10:33 ? 00:00:00 /sbin/dhclient -d -4 -sf /usr/lib/NetworkManager/nm-dhcp-client.action -pf /var/run/sendsigs.omit.d/network-manager.dhclient-eth1.pid -lf /var/lib/dhcp/dhclient-54df5c86-b0d6-46f4-9189-af6493b1be73-eth1.lease -cf /var/run/nm-dhclient-eth1.conf eth1
In case it's helpful here are lines excerpted from rkhunter's log running it just now (note that rkhunter --propupd was done last night so if something was compromised then it might not be showing it):
[13:07:28] Info: Starting test name 'deleted_files'
[13:07:30] Checking running processes for deleted files [ Warning ]
[13:07:30] Warning: The following processes are using deleted files:
[13:07:30] Process: /sbin/init PID: 1 File: /var/log/upstart/dbus.log.1
[13:07:30] Process: /usr/bin/nautilus PID: 24620 File: /home/samashley/.local/share/gvfs-metadata/home
[13:07:49] Performing check for sniffer log files
[13:07:49] Checking for file '/usr/lib/libice.log' [ Not found ]
[13:07:49] Checking for file '/dev/prom/sn.l' [ Not found ]
[13:07:49] Checking for file '/dev/fd/.88/zxsniff.log' [ Not found ]
[13:07:49] Checking for sniffer log files [ None found ]
[13:07:49] Info: Starting test name 'trojans'
[13:07:49] Performing trojan specific checks
[13:07:49] Info: Using inetd configuration file '/etc/inetd.conf'
[13:07:49] Info: Found service 'imap': it is inetd whitelisted.
[13:07:49] Info: Found service 'pop3': it is inetd whitelisted.
[13:07:49] Checking for enabled inetd services [ OK ]
[13:08:03] Info: Starting test name 'packet_cap_apps'
[13:08:03] Checking for packet capturing applications [ Warning ]
[13:08:03] Warning: Process '/sbin/dhclient' (PID 3044) is listening on the network.
...Today I ran:
and it reported several packages installed on my system that contained dhclient (do you want me to list them?)
Next I ran debsums on each of those packages and for each thing contained therein it returned "OK".
Is there anything else I should post? Thanks a lot for any help!!
Oops, edited because I almost forgot to say: this is a laptop running Ubuntu Studio 12.10 quantal 64 bit. I do have quite a few packages installed, and have lost track of which might conceivably be "listening" but I also have ufw and gufw and have installed some firewall rules that I got from a post somewhere in these forums (have forgotten exactly where), mainly I've tried to block most incoming traffic except what I use but don't block outgoing. In case it's important: I have to connect to the interwebs via a USB dongle broadband device (aka "surf stick").