It’s one of those late evenings when you are about to go to get some rest and suddenly receive a rkhunter email saying that a possible rootkit was detected…
Here’s the warning message:
Warning: Network TCP port 33369 is being used by /usr/bin/stunnel4. Possible rootkit: Volc Rootkit SSH server (divine) Use the 'lsof -i' or 'netstat -an' command to check this.
A no time check reveals it being an authorised Stunell connection for IMAPS.
# lsof -i | grep 33369 stunnel4 3033 root 13u IPv4 30198 0t0 TCP 10.14.61.134:33369->mail.example.com:imaps (ESTABLISHED)
As much as I dislike false-positives, I am truly glad it was one this time.