Posted on

chkrootkit finds bindshell infected on port 465

The current version of chkrootkit will throw up a warning that bindshell is INFECTED on port 465 in some circumstances when this is nothing to worry about. What it’s actually doing (in case you can’t read shell scripts, and why should you when there’s a perfectly good ‘C’ compiler available) is running netstat and filtering the output looking for ports that shouldn’t be being used. Port 465 is SMTP over SLL, and in my opinion should very definitely be used, but it is normally disabled by default.

As to whether this should worry you depends on whether you’re using secure SMTP, probably with sendmail. If you set up the server you should know this. If someone else set it up and you’re not too familiar with sendmail, the tell-tail line in the .mc file is DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl. Note the ‘s’ on the end of smtp.

Assuming you are using SMTPS, you can easily stop chkrootkit from printing an error (or returning an error code) simply by modifying the bindshell() subroutine to remove 465 from the list of ports to check. It’s on line 269 on the current, 0.49, version of the script.

I’m not so convinced that chkrootkit is any substitute for an experienced operator, but it’s out there, people use it and its better than nothing.

Posted on

FBI hacks every VPN on the planet

Can VPN’s be trusted?

I got wind of an interesting rumour yesterday, passed to me by a fairly trustworthy source. I don’t normally comment on rumours until I’ve had a chance to check the facts for myself, but this looks like it’s going to spread.

Basically, the FBI paid certain developers working on the OpenBSD IPsec stack to and asked for back-doors or key leaking mechanisms to be added. This occurred in 2000/2001. Allegedly.

The code in question is open source and is likely to have been incorporated in various forms in a lot of systems, including VPN and secure networking infrastructure.

Whilst I have names of the developers in question and the development company concerned, it wouldn’t be fair to mention them publicly, at least until such code is found. If you’re using the IPsec stack in anything might want to take a good look at the code, just in case.

However, if the code has been there for nearly ten years in open source software, how come no one has noticed it before?

Posted on

Prince Charles’ attackers lucky to be alive

At about quarter past eight this morning, on on Radio 4’s Today programme, the head of the Metropolitan Police (Sir Paul Stephenson), remarked that the protection officers in Prince Charles’ car had “shown restraint” last night when the Prince and his wife were attacked by anarchists. The presenter (Sarah Montague, I think) picked up on this, and asked what he meant by “restraint”, sensing he might be implying that the armed officers might have shot some of the rioters. He declined to spell it out. So, in spite of it being obvious, I will.

The bodyguards to the heir of the throne (and, come to that, the Prime Minister and various other establishment VIPs) are there for one purpose – to protect him from those that would do him harm. They’re carrying guns, not pea-shooters. So, faced with a situation where a bunch of enthusiastic republicans are smashing through the window of his car and shouting that they wished to kill the occupants, what are SO14 officers going to do? Well if the rioters were a credible threat, get out of the car, or get off their bikes and shoot them before they get a chance to kill or injure their intended victim. They’d already broken a window – if they’d got any further into the car I’d have said they were a credible threat.

Sarah Montague, and the rioters, need to grow up.