Ursula wrote:
this morning I get my usual chkrootkit report, which tells me there's a possible slapper worm installed.
[snip]
and netstat -an gives me thistcp 0 0 66.70.78.190:80 132.234.126.119:1410 ESTABLISHED tcp 0 0 66.70.78.190:80 132.234.126.119:1411 ESTABLISHEDAlthough I can't find any of the slapper files installed - fheck runs every 15 minutes and reported no changes, apart from the usual stuff in the tmp dir, it certainly looks like the slapper worm.
[snip]
Am I just panicking needlessly? (I sure hope so!) or is every last raq4 still open to this old worm? what are people doing to get around it? how to get rid of it and clean up?
chkrootkit is a shell script. When it gives you a warning (with the exception of "Possible LKM Trojan installed" which is a common false positive due to the way it checks for hidden processes), you should look at the source to find out which test triggered the warning.
In the case of slapper, you'll get a warning if there's a process bound to all IP addresses on ports 2002, 4156, 1978, 1812 or 2015.
This can happen if you're running a RADIUS server that's not bound to a specific IP address, or one of the normal servers uses one of those ports at random.
Try restarting some of the servers (/etc/rc.d/init.d/<whatever> restart) and re-run chkrootkit to see if the warning goes away.
Regards, Richard.