Rkhunter triggered last night warning for a possible infection. What next?

Question

Last night rkhunter triggered with the following warnings:

[04:10:23] Warning: Network TCP port 32982 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: Solaris Wanuk
           Use the 'lsof -i' or 'netstat -an' command to check this.
[04:10:23]   Checking for TCP port 33369                     [ Not found ]
[04:10:23]   Checking for TCP port 47107                     [ Not found ]
[04:10:23]   Checking for TCP port 47018                     [ Not found ]
[04:10:24]   Checking for TCP port 60922                     [ Warning ]
[04:10:24] Warning: Network TCP port 60922 is being used by /usr/lib/apache2/mpm-prefork/apache2. Possible rootkit: zaRwT.KiT
           Use the 'lsof -i' or 'netstat -an' command to check this.

The previous scan a day before did not have the same warning, neither a second server I am running. There are no further warnings.

I am not sure exactly how to figure out what to do next. I ran 'lsof -i' and it renders the following result:

COMMAND     PID     USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
dhclient    570     root    5u  IPv4     2440      0t0  UDP *:bootpc 
portmap     674   daemon    4u  IPv4     2630      0t0  UDP *:sunrpc 
portmap     674   daemon    5u  IPv4     2634      0t0  TCP *:sunrpc (LISTEN)
rpc.statd   687    statd    4u  IPv4     2666      0t0  UDP *:863 
rpc.statd   687    statd    6u  IPv4     2675      0t0  UDP *:49433 
rpc.statd   687    statd    7u  IPv4     2678      0t0  TCP *:33135 (LISTEN)
rpc.mount   949     root    7u  IPv4     3174      0t0  UDP *:50854 
rpc.mount   949     root    8u  IPv4     3179      0t0  TCP *:45667 (LISTEN)
named       995     bind   20u  IPv6     3297      0t0  TCP *:domain (LISTEN)
named       995     bind   21u  IPv4     3302      0t0  TCP localhost:domain (LISTEN)
named       995     bind   22u  IPv4     3305      0t0  TCP server.stratoserver.net:domain (LISTEN)
named       995     bind   23u  IPv4     3307      0t0  TCP server.local:domain (LISTEN)
named       995     bind   24u  IPv4     3342      0t0  TCP localhost:953 (LISTEN)
named       995     bind   25u  IPv6     3343      0t0  TCP localhost:953 (LISTEN)
named       995     bind  512u  IPv6     3296      0t0  UDP *:domain 
named       995     bind  513u  IPv4     3301      0t0  UDP localhost:domain 
named       995     bind  514u  IPv4     3303      0t0  UDP server.stratoserver.net:domain 
named       995     bind  515u  IPv4     3306      0t0  UDP server.local:domain 
rpc.rquot  1042     root    3u  IPv4     3551      0t0  UDP *:790 
rpc.rquot  1042     root    4u  IPv4     3557      0t0  TCP *:791 (LISTEN)
ntpd       1055      ntp   16u  IPv4     3601      0t0  UDP *:ntp 
ntpd       1055      ntp   17u  IPv6     3602      0t0  UDP *:ntp 
ntpd       1055      ntp   18u  IPv4     3610      0t0  UDP localhost:ntp 
ntpd       1055      ntp   19u  IPv4     3611      0t0  UDP server.stratoserver.net:ntp 
ntpd       1055      ntp   20u  IPv4     3612      0t0  UDP server.local:ntp 
ntpd       1055      ntp   21u  IPv6     3613      0t0  UDP [fe80::21b:c6ff:fe40:4175]:ntp 
ntpd       1055      ntp   22u  IPv6     3614      0t0  UDP localhost:ntp 
ntpd       1055      ntp   23u  IPv6     3615      0t0  UDP [fe80::21b:c6ff:fe40:4172]:ntp 
sshd       1067     root    3u  IPv4     3653      0t0  TCP *:ssh (LISTEN)
sshd       1067     root    4u  IPv6     3655      0t0  TCP *:ssh (LISTEN)
mysqld     1197    mysql   10u  IPv4     3784      0t0  TCP *:mysql (LISTEN)
mysqld     1197    mysql   13u  IPv4 28876535      0t0  TCP server.local:mysql->server.local:41029 (ESTABLISHED)
mysqld     1197    mysql   14u  IPv4 35609701      0t0  TCP server.local:mysql->server2.local:36676 (ESTABLISHED)
mysqld     1197    mysql   15u  IPv4 36159013      0t0  TCP server.local:mysql->server2.local:38976 (ESTABLISHED)
mysqld     1197    mysql   16u  IPv4 36159014      0t0  TCP server.local:mysql->server2.local:38977 (ESTABLISHED)
mysqld     1197    mysql   17u  IPv4 28876538      0t0  TCP server.local:mysql->server.local:41030 (ESTABLISHED)
mysqld     1197    mysql   18u  IPv4 28876539      0t0  TCP server.local:mysql->server.local:41031 (ESTABLISHED)
mysqld     1197    mysql   21u  IPv4 36159015      0t0  TCP server.local:mysql->server2.local:38978 (ESTABLISHED)
mysqld     1197    mysql   22u  IPv4 35609702      0t0  TCP server.local:mysql->server2.local:36677 (ESTABLISHED)
mysqld     1197    mysql   27u  IPv4 36159028      0t0  TCP server.local:mysql->server2.local:38979 (ESTABLISHED)
mysqld     1197    mysql   28u  IPv4 35609703      0t0  TCP server.local:mysql->server2.local:36678 (ESTABLISHED)
mysqld     1197    mysql   29u  IPv4 35610784      0t0  TCP server.local:mysql->server2.local:36690 (ESTABLISHED)
mysqld     1197    mysql   30u  IPv4 36159029      0t0  TCP server.local:mysql->server2.local:38980 (ESTABLISHED)
mysqld     1197    mysql   33u  IPv4 36159030      0t0  TCP server.local:mysql->server2.local:38981 (ESTABLISHED)
mysqld     1197    mysql   34u  IPv4 35610785      0t0  TCP server.local:mysql->server2.local:36691 (ESTABLISHED)
mysqld     1197    mysql   35u  IPv4 36159033      0t0  TCP server.local:mysql->server2.local:38982 (ESTABLISHED)
mysqld     1197    mysql   37u  IPv4 35610786      0t0  TCP server.local:mysql->server2.local:36692 (ESTABLISHED)
mysqld     1197    mysql   38u  IPv4 35611462      0t0  TCP server.local:mysql->server2.local:36693 (ESTABLISHED)
mysqld     1197    mysql   39u  IPv4 35611463      0t0  TCP server.local:mysql->server2.local:36694 (ESTABLISHED)
mysqld     1197    mysql   40u  IPv4 36159034      0t0  TCP server.local:mysql->server2.local:38983 (ESTABLISHED)
mysqld     1197    mysql   43u  IPv4 36159035      0t0  TCP server.local:mysql->server2.local:38984 (ESTABLISHED)
mysqld     1197    mysql   45u  IPv4 35611464      0t0  TCP server.local:mysql->server2.local:36695 (ESTABLISHED)
mysqld     1197    mysql   46u  IPv4 35611466      0t0  TCP server.local:mysql->server2.local:36696 (ESTABLISHED)
mysqld     1197    mysql   47u  IPv4 35611468      0t0  TCP server.local:mysql->server2.local:36698 (ESTABLISHED)
mysqld     1197    mysql   53u  IPv4 35611467      0t0  TCP server.local:mysql->server2.local:36697 (ESTABLISHED)
mysqld     1197    mysql   81u  IPv4 28934739      0t0  TCP server.local:mysql->server.local:41298 (ESTABLISHED)
mysqld     1197    mysql   84u  IPv4 28934741      0t0  TCP server.local:mysql->server.local:41299 (ESTABLISHED)
mysqld     1197    mysql  114u  IPv4 28934743      0t0  TCP server.local:mysql->server.local:41300 (ESTABLISHED)
miniserv.  1275     root    5u  IPv4     4105      0t0  TCP *:20000 (LISTEN)
miniserv.  1275     root    6u  IPv4     4106      0t0  UDP *:20000 
apache2    1286     root    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    1286     root    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
avahi-dae  1300    avahi   13u  IPv4     4217      0t0  UDP *:mdns 
avahi-dae  1300    avahi   14u  IPv6     4218      0t0  UDP *:mdns 
avahi-dae  1300    avahi   15u  IPv4     4219      0t0  UDP *:60072 
avahi-dae  1300    avahi   16u  IPv6     4220      0t0  UDP *:44413 
apache2    1396 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    1396 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    1396 www-data   35u  IPv4 53893609      0t0  TCP server.local:33766->server2.local:9001 (ESTABLISHED)
master     1628     root   12u  IPv4     5232      0t0  TCP *:smtp (LISTEN)
master     1628     root  103u  IPv4     5359      0t0  TCP *:submission (LISTEN)
miniserv.  1935     root    6u  IPv4     6530      0t0  TCP *:webmin (LISTEN)
miniserv.  1935     root    7u  IPv4     6531      0t0  UDP *:10000 
apache2    2545 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    2545 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    2545 www-data   35u  IPv4 53924796      0t0  TCP server.local:33844->server2.local:9001 (ESTABLISHED)
apache2    3155 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    3155 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    3155 www-data   35u  IPv4 53803788      0t0  TCP server.local:33550->server2.local:9001 (ESTABLISHED)
apache2    4436 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    4436 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    4436 www-data   35u  IPv4 53924619      0t0  TCP server.local:33843->server2.local:9001 (ESTABLISHED)
apache2    8768 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    8768 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    8768 www-data   35u  IPv4 53892156      0t0  TCP server.local:33764->server2.local:9001 (ESTABLISHED)
apache2    8773 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    8773 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    8773 www-data   35u  IPv4 53912304      0t0  TCP server.local:33797->server2.local:9001 (ESTABLISHED)
apache2    9275 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    9275 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    9275 www-data   35u  IPv4 53923945      0t0  TCP server.local:33840->server2.local:9001 (ESTABLISHED)
apache2    9276 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2    9276 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2    9276 www-data   35u  IPv4 53890648      0t0  TCP server.local:33754->server2.local:9001 (ESTABLISHED)
sshd      10312     root    3r  IPv4 53910247      0t0  TCP server.stratoserver.net:ssh->dynamic.b-ras1.srl.dublin.eircom.net:18262 (ESTABLISHED)
apache2   10555 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2   10555 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2   10555 www-data   35u  IPv4 53918771      0t0  TCP server.local:33805->server2.local:9001 (ESTABLISHED)
apache2   10557 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2   10557 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)
apache2   10557 www-data   35u  IPv4 53925404      0t0  TCP server.local:33845->server2.local:9001 (ESTABLISHED)
proftpd   13576  proftpd    1u  IPv6 51926297      0t0  TCP *:ftp (LISTEN)
java      16797    idoms   84u  IPv6 28876534      0t0  TCP server.local:41029->server.local:mysql (ESTABLISHED)
java      16797    idoms   86u  IPv6 28876536      0t0  TCP server.local:41031->server.local:mysql (ESTABLISHED)
java      16797    idoms   87u  IPv6 28876537      0t0  TCP server.local:41030->server.local:mysql (ESTABLISHED)
java      16797    idoms   88u  IPv6 28876619      0t0  TCP *:9001 (LISTEN)
java      16797    idoms  100u  IPv6 28934738      0t0  TCP server.local:41298->server.local:mysql (ESTABLISHED)
java      16797    idoms  104u  IPv6 28934740      0t0  TCP server.local:41299->server.local:mysql (ESTABLISHED)
java      16797    idoms  106u  IPv6 28934742      0t0  TCP server.local:41300->server.local:mysql (ESTABLISHED)
apache2   26222 www-data    4u  IPv6     4129      0t0  TCP *:www (LISTEN)
apache2   26222 www-data    6u  IPv6     4133      0t0  TCP *:https (LISTEN)

My untrained eye doesn't see anything strange in there. Can anybody give me any suggestions?

Answer 1

Does your web application use curl or do any network operations such as talking to a database?

Whenever a network connection is made source IP, source port, destination IP and destination port must be chosen. The source port is chosen from the ephemeral range.

I suspect that one of these network connections chose the port 60922 and was using it at the same time as rkhunter was running. If that's the only alert rkhunter generated, it's almost certainly a false positive and nothing to worry about. Repeated reports will warrant further investigation.