Re: [OxLUG] Rkhunter false positive, TCP port 143

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: David North
Date:  
To: oxlug
Subject: Re: [OxLUG] Rkhunter false positive, TCP port 143
On 28/11/15 17:02, David North wrote:
> Hi Oxlug,
>
> I've been running rkhunter [0] on a number of my Linux servers for some
> years.
>
> Recently, it's started giving me warnings about a possible infection on
> my mail server:
>
> Warning: Hidden ports found:
>          Port number: TCP:143

>
> I've tried a few things:
>
> $ nc -vvv localhost 143
> nc: cannot connect to localhost.localdomain (127.0.0.1) 143 [imap2]:
> Connection refused
>
> ss|grep 143 returns no output
>
> netstat -tn|grep 143 returns no output
>
> I've also tried running the above two commands using an "at" job to
> happen at the same time as the rkhunter report is generated - no output.
>
> Does anybody have anything further to suggest, or have you seen this
> sort of thing before?


Writing it up for OxLUG inspired me to dig a bit further, and I
eventually unearthed the solution. It was a bug in the Dovecot IMAP server:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806554