fam daemon restarter
Upon checking my chkroot log I noticed that it was reporting that bindshell was infected:
Checking `bindshell'... INFECTED (PORTS: 1008)
I ran "netstat -tanup" and saw that famd was running on the port 1008. I had a feeling that this may be a false positive so I didn't get all excited like I nomally do and rip the network cable out of the back. lol I first backed up the famd executable then reinstalled famd from scratch. I did a diff on the two binaries and they proved to be the same so I felt more confident that my famd was not infected. When the fam service was running again I ran chkroot again and did not get the infected message. I thought that this was strange until i ran netstat again and saw that famd was not using port 1008 this time. I figured that the INFECTED message might happen when famd so happens to grab port 1008 to listen on. I decided to restart the fam daemon until it listened on port 1008.
This script checks if famd is listening on 1008 and if its not then it restarts it and checks again until it is lisetning on 1008.
## famd listening on port 1008
## Check the port that fam is listening on
NETSTAT_RESULT=`netstat -tanup | grep fam`
if [[ $NETSTAT_RESULT == *1008* ]]; then
echo "fam is listening on port 1008. Run chkroot."
## if its not 1008 restart the fam daemon
After a while famd restarted listening on port 1008. I ran chkroot again and got the same INFECTED message. Seems like chkroot could test for bindshell infection better than just checking if a daemon is listening on port 1008 as many others have got false positives on this test.