Last night rkhunter triggered with the following warnings:
[04:10:23] Warning: Network TCP port 32982 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: Solaris Wanuk
Use the 'lsof -i' or 'netstat -an' command to check this.
[04:10:23] Checking for TCP port 33369 [ Not found ]
[04:10:23] Checking for TCP port 47107 [ Not found ]
[04:10:23] Checking for TCP port 47018 [ Not found ]
[04:10:24] Checking for TCP port 60922 [ Warning ]
[04:10:24] Warning: Network TCP port 60922 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: zaRwT.KiT
Use the 'lsof -i' or 'netstat -an' command to check this.
The previous scan a day before did not have the same warning, neither a second server I am running. There are no further warnings.
I am not sure exactly how to figure out what to do next.
I ran 'lsof -i' and it renders the following result:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 570 root 5u IPv4 2440 0t0 UDP *:bootpc
portmap 674 daemon 4u IPv4 2630 0t0 UDP *:sunrpc
portmap 674 daemon 5u IPv4 2634 0t0 TCP *:sunrpc (LISTEN)
rpc.statd 687 statd 4u IPv4 2666 0t0 UDP *:863
rpc.statd 687 statd 6u IPv4 2675 0t0 UDP *:49433
rpc.statd 687 statd 7u IPv4 2678 0t0 TCP *:33135 (LISTEN)
rpc.mount 949 root 7u IPv4 3174 0t0 UDP *:50854
rpc.mount 949 root 8u IPv4 3179 0t0 TCP *:45667 (LISTEN)
named 995 bind 20u IPv6 3297 0t0 TCP *:domain (LISTEN)
named 995 bind 21u IPv4 3302 0t0 TCP localhost:domain (LISTEN)
named 995 bind 22u IPv4 3305 0t0 TCP server.stratoserver.net:domain (LISTEN)
named 995 bind 23u IPv4 3307 0t0 TCP server.local:domain (LISTEN)
named 995 bind 24u IPv4 3342 0t0 TCP localhost:953 (LISTEN)
named 995 bind 25u IPv6 3343 0t0 TCP localhost:953 (LISTEN)
named 995 bind 512u IPv6 3296 0t0 UDP *:domain
named 995 bind 513u IPv4 3301 0t0 UDP localhost:domain
named 995 bind 514u IPv4 3303 0t0 UDP server.stratoserver.net:domain
named 995 bind 515u IPv4 3306 0t0 UDP server.local:domain
rpc.rquot 1042 root 3u IPv4 3551 0t0 UDP *:790
rpc.rquot 1042 root 4u IPv4 3557 0t0 TCP *:791 (LISTEN)
ntpd 1055 ntp 16u IPv4 3601 0t0 UDP *:ntp
ntpd 1055 ntp 17u IPv6 3602 0t0 UDP *:ntp
ntpd 1055 ntp 18u IPv4 3610 0t0 UDP localhost:ntp
ntpd 1055 ntp 19u IPv4 3611 0t0 UDP server.stratoserver.net:ntp
ntpd 1055 ntp 20u IPv4 3612 0t0 UDP server.local:ntp
ntpd 1055 ntp 21u IPv6 3613 0t0 UDP [fe80::21b:c6ff:fe40:4175]:ntp
ntpd 1055 ntp 22u IPv6 3614 0t0 UDP localhost:ntp
ntpd 1055 ntp 23u IPv6 3615 0t0 UDP [fe80::21b:c6ff:fe40:4172]:ntp
sshd 1067 root 3u IPv4 3653 0t0 TCP *:ssh (LISTEN)
sshd 1067 root 4u IPv6 3655 0t0 TCP *:ssh (LISTEN)
mysqld 1197 mysql 10u IPv4 3784 0t0 TCP *:mysql (LISTEN)
mysqld 1197 mysql 13u IPv4 28876535 0t0 TCP server.local:mysql->server.local:41029 (ESTABLISHED)
mysqld 1197 mysql 14u IPv4 35609701 0t0 TCP server.local:mysql->server2.local:36676 (ESTABLISHED)
mysqld 1197 mysql 15u IPv4 36159013 0t0 TCP server.local:mysql->server2.local:38976 (ESTABLISHED)
mysqld 1197 mysql 16u IPv4 36159014 0t0 TCP server.local:mysql->server2.local:38977 (ESTABLISHED)
mysqld 1197 mysql 17u IPv4 28876538 0t0 TCP server.local:mysql->server.local:41030 (ESTABLISHED)
mysqld 1197 mysql 18u IPv4 28876539 0t0 TCP server.local:mysql->server.local:41031 (ESTABLISHED)
mysqld 1197 mysql 21u IPv4 36159015 0t0 TCP server.local:mysql->server2.local:38978 (ESTABLISHED)
mysqld 1197 mysql 22u IPv4 35609702 0t0 TCP server.local:mysql->server2.local:36677 (ESTABLISHED)
mysqld 1197 mysql 27u IPv4 36159028 0t0 TCP server.local:mysql->server2.local:38979 (ESTABLISHED)
mysqld 1197 mysql 28u IPv4 35609703 0t0 TCP server.local:mysql->server2.local:36678 (ESTABLISHED)
mysqld 1197 mysql 29u IPv4 35610784 0t0 TCP server.local:mysql->server2.local:36690 (ESTABLISHED)
mysqld 1197 mysql 30u IPv4 36159029 0t0 TCP server.local:mysql->server2.local:38980 (ESTABLISHED)
mysqld 1197 mysql 33u IPv4 36159030 0t0 TCP server.local:mysql->server2.local:38981 (ESTABLISHED)
mysqld 1197 mysql 34u IPv4 35610785 0t0 TCP server.local:mysql->server2.local:36691 (ESTABLISHED)
mysqld 1197 mysql 35u IPv4 36159033 0t0 TCP server.local:mysql->server2.local:38982 (ESTABLISHED)
mysqld 1197 mysql 37u IPv4 35610786 0t0 TCP server.local:mysql->server2.local:36692 (ESTABLISHED)
mysqld 1197 mysql 38u IPv4 35611462 0t0 TCP server.local:mysql->server2.local:36693 (ESTABLISHED)
mysqld 1197 mysql 39u IPv4 35611463 0t0 TCP server.local:mysql->server2.local:36694 (ESTABLISHED)
mysqld 1197 mysql 40u IPv4 36159034 0t0 TCP server.local:mysql->server2.local:38983 (ESTABLISHED)
mysqld 1197 mysql 43u IPv4 36159035 0t0 TCP server.local:mysql->server2.local:38984 (ESTABLISHED)
mysqld 1197 mysql 45u IPv4 35611464 0t0 TCP server.local:mysql->server2.local:36695 (ESTABLISHED)
mysqld 1197 mysql 46u IPv4 35611466 0t0 TCP server.local:mysql->server2.local:36696 (ESTABLISHED)
mysqld 1197 mysql 47u IPv4 35611468 0t0 TCP server.local:mysql->server2.local:36698 (ESTABLISHED)
mysqld 1197 mysql 53u IPv4 35611467 0t0 TCP server.local:mysql->server2.local:36697 (ESTABLISHED)
mysqld 1197 mysql 81u IPv4 28934739 0t0 TCP server.local:mysql->server.local:41298 (ESTABLISHED)
mysqld 1197 mysql 84u IPv4 28934741 0t0 TCP server.local:mysql->server.local:41299 (ESTABLISHED)
mysqld 1197 mysql 114u IPv4 28934743 0t0 TCP server.local:mysql->server.local:41300 (ESTABLISHED)
miniserv. 1275 root 5u IPv4 4105 0t0 TCP *:20000 (LISTEN)
miniserv. 1275 root 6u IPv4 4106 0t0 UDP *:20000
apache2 1286 root 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 1286 root 6u IPv6 4133 0t0 TCP *:https (LISTEN)
avahi-dae 1300 avahi 13u IPv4 4217 0t0 UDP *:mdns
avahi-dae 1300 avahi 14u IPv6 4218 0t0 UDP *:mdns
avahi-dae 1300 avahi 15u IPv4 4219 0t0 UDP *:60072
avahi-dae 1300 avahi 16u IPv6 4220 0t0 UDP *:44413
apache2 1396 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 1396 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 1396 www-data 35u IPv4 53893609 0t0 TCP server.local:33766->server2.local:9001 (ESTABLISHED)
master 1628 root 12u IPv4 5232 0t0 TCP *:smtp (LISTEN)
master 1628 root 103u IPv4 5359 0t0 TCP *:submission (LISTEN)
miniserv. 1935 root 6u IPv4 6530 0t0 TCP *:webmin (LISTEN)
miniserv. 1935 root 7u IPv4 6531 0t0 UDP *:10000
apache2 2545 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 2545 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 2545 www-data 35u IPv4 53924796 0t0 TCP server.local:33844->server2.local:9001 (ESTABLISHED)
apache2 3155 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 3155 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 3155 www-data 35u IPv4 53803788 0t0 TCP server.local:33550->server2.local:9001 (ESTABLISHED)
apache2 4436 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 4436 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 4436 www-data 35u IPv4 53924619 0t0 TCP server.local:33843->server2.local:9001 (ESTABLISHED)
apache2 8768 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 8768 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 8768 www-data 35u IPv4 53892156 0t0 TCP server.local:33764->server2.local:9001 (ESTABLISHED)
apache2 8773 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 8773 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 8773 www-data 35u IPv4 53912304 0t0 TCP server.local:33797->server2.local:9001 (ESTABLISHED)
apache2 9275 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 9275 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 9275 www-data 35u IPv4 53923945 0t0 TCP server.local:33840->server2.local:9001 (ESTABLISHED)
apache2 9276 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 9276 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 9276 www-data 35u IPv4 53890648 0t0 TCP server.local:33754->server2.local:9001 (ESTABLISHED)
sshd 10312 root 3r IPv4 53910247 0t0 TCP server.stratoserver.net:ssh->dynamic.b-ras1.srl.dublin.eircom.net:18262 (ESTABLISHED)
apache2 10555 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 10555 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 10555 www-data 35u IPv4 53918771 0t0 TCP server.local:33805->server2.local:9001 (ESTABLISHED)
apache2 10557 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 10557 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
apache2 10557 www-data 35u IPv4 53925404 0t0 TCP server.local:33845->server2.local:9001 (ESTABLISHED)
proftpd 13576 proftpd 1u IPv6 51926297 0t0 TCP *:ftp (LISTEN)
java 16797 idoms 84u IPv6 28876534 0t0 TCP server.local:41029->server.local:mysql (ESTABLISHED)
java 16797 idoms 86u IPv6 28876536 0t0 TCP server.local:41031->server.local:mysql (ESTABLISHED)
java 16797 idoms 87u IPv6 28876537 0t0 TCP server.local:41030->server.local:mysql (ESTABLISHED)
java 16797 idoms 88u IPv6 28876619 0t0 TCP *:9001 (LISTEN)
java 16797 idoms 100u IPv6 28934738 0t0 TCP server.local:41298->server.local:mysql (ESTABLISHED)
java 16797 idoms 104u IPv6 28934740 0t0 TCP server.local:41299->server.local:mysql (ESTABLISHED)
java 16797 idoms 106u IPv6 28934742 0t0 TCP server.local:41300->server.local:mysql (ESTABLISHED)
apache2 26222 www-data 4u IPv6 4129 0t0 TCP *:www (LISTEN)
apache2 26222 www-data 6u IPv6 4133 0t0 TCP *:https (LISTEN)
My untrained eye doesn't see anything strange in there.
Can anybody give me any suggestions?
Best Answer
Does your web application use
curl
or do any network operations such as talking to a database?Whenever a network connection is made source IP, source port, destination IP and destination port must be chosen. The source port is chosen from the ephemeral range.
I suspect that one of these network connections chose the port 60922 and was using it at the same time as rkhunter was running. If that's the only alert rkhunter generated, it's almost certainly a false positive and nothing to worry about. Repeated reports will warrant further investigation.