Hi,
today i checked my server with chkrootkit (http://www.chkrootkit.org/ ). chkrootkit told me that bindshell ist infected on port 465.
I used netstat -apn | grep 465 to check who are using the port.
Netstat result shows up this:
tcp 0.0.0.0:465 listen
tcp my-server:5222 ///////////////////////////// 62.143.3.180:33465 established
tcp my-server:5269 ///////////////////////////// 193.219.42.13:46507 established
Both IPs are registered users at my server.
Should i care about that? What damage can be done to my server and what can i do to prevent my openfire from this?
Thank you!
LG1
December 18, 2007, 9:46pm
2
Hi,
you may want to use “lsof” to identify the program which has opened port 465. Openfire usually does not run as root and thus it does not have the required privileges to open a port <1024. I guess that you are running SMTPS which is usually using this port.
LG
Well in that case i have to say, that iam running openfire under root.
Form some reasons openfire does not start under a “normal user” - maybe i am doing something wrong.
Strange because netstat show up 2 different ips / hostnames which are connected to my openfire as an registered user.
What is the correct input to let lsof show me what program is usin 465 - i do not get it.
Thank you.
LG1
December 19, 2007, 9:07pm
4
lsof -P -n -i | grep 465
This should print something like
java 12345 root 40u IPv4 123456 TCP *:456 (LISTEN)
You’re doing something wrong if Openfire really runs as root.
LG