Possible rootkit: Volc Rootkit SSH server (divine)

It’s one of those late eveningsĀ when you are about to go to get some rest and suddenly receive a rkhunter email saying that a possible rootkit was detected…

Here’s the warning message:

Warning: Network TCP port 33369 is being used by /usr/bin/stunnel4. Possible rootkit: Volc Rootkit SSH server (divine)
Use the 'lsof -i' or 'netstat -an' command to check this.

A no time check reveals it being an authorised Stunell connection for IMAPS.

# lsof -i | grep 33369
stunnel4 3033 root 13u IPv4 30198 0t0 TCP>mail.example.com:imaps (ESTABLISHED)

As much as I dislike false-positives, I am truly glad it was one this time.

Leave a Reply

Your email address will not be published. Required fields are marked *