Re: [OxLUG] Rkhunter false positive, TCP port 143

Top Page
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: David North
To: oxlug
Subject: Re: [OxLUG] Rkhunter false positive, TCP port 143
On 28/11/15 17:02, David North wrote:
> Hi Oxlug,
> I've been running rkhunter [0] on a number of my Linux servers for some
> years.
> Recently, it's started giving me warnings about a possible infection on
> my mail server:
> Warning: Hidden ports found:
>          Port number: TCP:143

> I've tried a few things:
> $ nc -vvv localhost 143
> nc: cannot connect to localhost.localdomain ( 143 [imap2]:
> Connection refused
> ss|grep 143 returns no output
> netstat -tn|grep 143 returns no output
> I've also tried running the above two commands using an "at" job to
> happen at the same time as the rkhunter report is generated - no output.
> Does anybody have anything further to suggest, or have you seen this
> sort of thing before?

Writing it up for OxLUG inspired me to dig a bit further, and I
eventually unearthed the solution. It was a bug in the Dovecot IMAP server: