Additions: After a while famd restarted listening on port 1008. I ran chkroot again and got the same INFECTED message. Seems like chkroot could test for bindshell infection better than just checking if a daemon is listening on port 1008 as many others have got false positives on this test.
Upon checking my chkroot log I noticed that it was reporting that bindshell was infected:
Checking `bindshell'... INFECTED (PORTS: 1008)
I ran "netstat -tanup" and saw that famd was running on the port 1008. I had a feeling that this may be a false positive so I didn't get all excited like I nomally do and rip the network cable out of the back. lol I first backed up the famd executable then reinstalled famd from scratch. I did a diff on the two binaries and they proved to be the same so I felt more confident that my famd was not infected. When the fam service was running again I ran chkroot again and did not get the infected message. I thought that this was strange until i ran netstat again and saw that famd was not using port 1008 this time. I figured that the INFECTED message might happen when famd so happens to grab port 1008 to listen on. I decided to restart the fam daemon until it listened on port 1008.
This script checks if famd is listening on 1008 and if its not then it restarts it and checks again until it is lisetning on 1008.
#!/usr/bin/env bash ## famd listening on port 1008
while true; do
netstat -tanup | grep fam ## Check the port that fam is listening on NETSTAT_RESULT=`netstat -tanup | grep fam | grep 1008` if[[$NETSTAT_RESULT == *1008* ]]; then echo"fam is listening on port 1008. Run chkroot." break else ## if its not 1008 restart the fam daemon
sleep 4 fi done
Deletions: This bash script restarts the fam daemon until it listens on a specific port (1008)