Programming Wiki: fam daemon restarter

Programming Wiki : RestartFamUntil

WikiHomePage :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

fam daemon restarter

Bash


Upon checking my chkroot log I noticed that it was reporting that bindshell was infected:
Checking `bindshell'... INFECTED (PORTS: 1008)

I ran "netstat -tanup" and saw that famd was running on the port 1008. I had a feeling that this may be a false positive so I didn't get all excited like I nomally do and rip the network cable out of the back. lol I first backed up the famd executable then reinstalled famd from scratch. I did a diff on the two binaries and they proved to be the same so I felt more confident that my famd was not infected. When the fam service was running again I ran chkroot again and did not get the infected message. I thought that this was strange until i ran netstat again and saw that famd was not using port 1008 this time. I figured that the INFECTED message might happen when famd so happens to grab port 1008 to listen on. I decided to restart the fam daemon until it listened on port 1008.

This script checks if famd is listening on 1008 and if its not then it restarts it and checks again until it is lisetning on 1008.

#!/usr/bin/env bash                                                                         
## famd listening on port 1008

while true;
  do
  ## Check the port that fam is listening on                                                 
  NETSTAT_RESULT=`netstat -tanup | grep fam`
  echo $NETSTAT_RESULT
  if [[ $NETSTAT_RESULT == *1008* ]]; then
      echo "fam is listening on port 1008.  Run chkroot."
      break
  else
      ## if its not 1008 restart the fam daemon                                               
      /etc/rc.d/fam restart
      sleep 4
  fi
done


After a while famd restarted listening on port 1008. I ran chkroot again and got the same INFECTED message. Seems like chkroot could test for bindshell infection better than just checking if a daemon is listening on port 1008 as many others have got false positives on this test.

There are no comments on this page. [Add comment]

Powered by Wikka Wakka Wiki 1.1.6.0
Page was generated in 0.0234 seconds