[Rootkit scan] False positive on 465

  • I'm using SMTP with SSL on port 465, so my postfix master process should be running on this port, and (pfew) it is.


    Code
    1. USER PID ACCESS COMMAND465/tcp: root 4256 F.... master


    Did anyone else get a 'false positive' from /chkrootkit.log?

    Code
    1. Checking `bindshell'... INFECTED (PORTS: 465)
  • It mostly check the port than an actual vul/infection.


    Check with netstat if on port 465 there is something else, but if SMTPS is already running, that should be ok, not infected, just a false positive.


    Hi Althar, thanks for your reply.
    I did and it's the master process running on it. So it is a false positive. But does anyone else have this?
    In that case I might report it to the dev dept there

  • Hello ;


    This is a well know FALSE positive almost reported on all system running Postfix ;) You can ignore it.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206