[Dovecot] rkhunter alert dovecot using port 1984
Hi all,
Debian Lenny, dovecot 1.0.15
My rkhunter script has picked up dovecot using port 1984 temporarily. When I run it now however, it is gone.
Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this.
Does dovecot use this port for any reason? anyone seen this before?
Regards, Mark
On 8.3.2011, at 12.43, Mark Adams wrote:
Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this.
Does dovecot use this port for any reason? anyone seen this before?
No & no.
Hi Timo,
I've had another one this morning (on port 2006), and can see its still open
mailhub:~# netstat -tulnap | grep 2006 tcp 0 0 10.0.0.24:143 10.0.3.96:2006 ESTABLISHED 19372/imap
This all looks ok - The client should be communcating over a higher port right?
On Wed, Mar 09, 2011 at 08:23:40PM +0200, Timo Sirainen wrote:
On 8.3.2011, at 12.43, Mark Adams wrote:
Warning: Network TCP port 1984 is being used by /usr/lib/dovecot/imap. Possible rootkit: Fuckit Rootkit Use the 'lsof -i' or 'netstat -an' command to check this.
Does dovecot use this port for any reason? anyone seen this before?
No & no.
On Wed, 2011-03-16 at 09:54 +0000, Mark Adams wrote:
Hi Timo,
I've had another one this morning (on port 2006), and can see its still open
mailhub:~# netstat -tulnap | grep 2006 tcp 0 0 10.0.0.24:143 10.0.3.96:2006 ESTABLISHED 19372/imap
This all looks ok - The client should be communcating over a higher port right?
Yeah. Client is connected to IMAP port.
mailhub:~# netstat -tulnap | grep 2006 tcp 0 0 10.0.0.24:143 10.0.3.96:2006 ESTABLISHED 19372/imap This all looks ok - The client should be communcating over a higher port right?
perfectly normal, if your rkhunter is freaking out because its seeing remote ports that it doesn't like, it needs to take some valium. Anything over 1024 is fair game for unprivileged stuff like mail clients.
P
on 10.0.0.6 ^^;
participants (3)
-
Mark Adams
-
Peter Evans
-
Timo Sirainen