powered by Jive Software

Bindshell infected on port 465 - netstat shows up openfire user


today i checked my server with chkrootkit (http://www.chkrootkit.org/). chkrootkit told me that bindshell ist infected on port 465.

I used netstat -apn | grep 465 to check who are using the port.

Netstat result shows up this:

tcp listen

tcp my-server:5222 ///////////////////////////// established

tcp my-server:5269 ///////////////////////////// established

Both IPs are registered users at my server.

Should i care about that? What damage can be done to my server and what can i do to prevent my openfire from this?

Thank you!


you may want to use “lsof” to identify the program which has opened port 465. Openfire usually does not run as root and thus it does not have the required privileges to open a port <1024. I guess that you are running SMTPS which is usually using this port.


Well in that case i have to say, that iam running openfire under root.

Form some reasons openfire does not start under a “normal user” - maybe i am doing something wrong.

Strange because netstat show up 2 different ips / hostnames which are connected to my openfire as an registered user.

What is the correct input to let lsof show me what program is usin 465 - i do not get it.

Thank you.

lsof -P -n -i | grep 465

This should print something like

java 12345 root 40u IPv4 123456 TCP *:456 (LISTEN)

You’re doing something wrong if Openfire really runs as root.