After latest update rkhunter TCP 2006 warning

[Nicodemus]

After the latest update my rkhunter shows me a warning, I guess a false positive but why is is using that port ?

Warning: Network TCP port 2006 is being used by /usr/sbin/sw-cp-serverd. Possible rootkit: CB Rootkit or w00tkit Rootkit SSH server
Use the 'lsof -i' or 'netstat -an' command to check this.

 

[IgorG]

I have checked on default Plesk installation:

# lsof -i tcp:2006
# lsof -i udp:2006
# netstat -an | grep 2006

As you can see port 2006 is not used there. So, check it. It really may be rootkit.

 

[Nicodemus]

#lsof -i tcp:2006
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sw-cp-ser 3711 sw-cp-server 8u IPv4 8972 TCP *:2006 (LISTEN)

## lsof -i udp:2006
empty response

netstat -an | grep 2006
tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN


sw-cp-serverd I found on the following :

netstat -tulnap shows me sw-cp-serverd here :
tcp 0 0 0.0.0.0:8880 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 127.0.0.1:10001 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 0.0.0.0:2006 0.0.0.0:* LISTEN 3711/sw-cp-serverd
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 3711/sw-cp-serverd


The only running sw-cp-serverd with the PID 3711 I see with ps axf is this :
3711 ? S 0:01 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config

Any hints ?

 

[IgorG]

Try to check that package was not compromised with

# rpm -V sw-cp-server

 

[Nicodemus]

its debian, dont have an rpm stuff on the server.

i checked a little into it anyway and i saw since by accident that 10.2 update was more or less installed instead of the update 10.1.1 which I managed myself to fix by apt-get install fix I see that in

/etc/sw-cp-server/applications.d

folder is a file called

zz011_siteeditor.conf

which sets the following up :

server.modules += ("mod_rewrite", "mod_fastcgi", "mod_accesslog", "mod_access")


var.se_user = "sw-cp-server"
var.se_group = "sw-cp-server"

var.se_port = 2006
var.se_prefix = "/opt/siteeditor"
var.se_vhostname = "siteeditor.******.*******.com" # VHOST name
var.se_hostip = "***.***.***.**" # that was my server's IP address
var.se_phppath = "/usr/bin/sw-engine-cgi"
var.se_accesslog = "/opt/siteeditor/tmp/siteeditor3-access.log"
#var.se_server = var.se_hostip + ":" + var.se_port
var.se_server = ":" + var.se_port



#$HTTP["host"] == var.se_vhostname {
$SERVER["socket"] == var.se_server {
$HTTP["url"] =~ "^/Login" {
url.access-deny = ("")
}

$HTTP["url"] =~ "^/Admin" {
url.access-deny = ("")
}

# $HTTP["remoteip"] !~ "127.0.0.1|***.***.***.**" { # My Server IPs addy
# $HTTP["url"] =~ "^/ServiceFacade/" {
# url.access-deny = ( "" )
# }
# }


# server.port = var.se_port
server.name = var.se_vhostname
server.document-root = var.se_prefix + "/htdocs"
# server.username = var.se_user
# server.groupname = var.se_group

accesslog.filename = var.se_accesslog

fastcgi.map-extensions = ( ".asmx" => ".php" )

fastcgi.server = ( ".php" =>
( "localhost" =>
(
"socket" => "/tmp/siteeditor-php.socket",
"broken-scriptfilename" => "enable",
"bin-environment" => ("PHPRC" => var.se_prefix + "/etc",),
"bin-path" => var.se_phppath + " -c " + var.se_prefix + "/etc/php.ini",
"max-procs" => 1,
"min-procs" => 0,
"idle-timeout" => 30,
"bin-username" => var.se_user
)
)
)


index-file.names += ( "index.php", "index.html" )

mimetype.assign = (
".png" => "image/png",
".jpg" => "image/jpeg",
".jpeg" => "image/jpeg",
".bmp" => "image/bmp",
".gif" => "image/gif",
".xml" => "text/xml",
".js" => "text/javascript",
".html" => "text/html",
".jar" => "application/jar",
".txt" => "text/plain",
".css" => "text/css"
)

server.error-handler-404 = "/index.php"

url.rewrite-once = (
"(/ServiceFacade/(.*)?)" => "$1", # disable rewriting inside service facade
"^(/[a-z].*)$" => "$1", # disable rewriting for non-regular paths
"(.*)" => "/index.php/$1" # rewrite all other urls to front controller
)
} # $SERVER



So what can I do to uninstall that stuff ? I think it is the Sitebuilder of Plesk which is using the 2006 port.

 

[IgorG]

We haven't released Plesk 10.2 version yet. It looks like you have installed Parallels Small Business Panel 10.2 version over Plesk. Plesk recovering is not trivial task in that case. Therefore I suggest you contact support team if you can't recover it by yourself.