• If you need help or want to discuss things, you now can also join us on our Discord Server!
  • A first preview of the unlimited version of SinusBot can be found in the Upcoming Changes thread. A version for Windows will follow, but we don't have a release date, yet.

Solved Sinusbot rootkit?

Status
Not open for further replies.
F

FrankP

Active Member
Since last update a week ago rkhunter report following Message:

Warning: Network TCP port 32982 is being used by /opt/sinusbot/sinusbot. Possible rootkit: Solaris Wanuk. Use the 'lsof -i' or 'netstat -an' command to check this.

netstat -anp | fgrep 32982 gives:

tcp 32 0 XXX.XXX.XXX.XXX:32982 104.18.40.220:443 CLOSE_WAIT
XXXX/sinusbot

It seems Sinusbot tryes to contact a me unknown server via HTTPS.
Even if there are no other hints for a rootkit on my server, I am a bit nervous now. Anyone else got this?

Greeting Frank
 
flyth

flyth

is reticulating splines
Staff member
Developer
Contributor
The autoupdater has changed and contacts new hostnames for that (updatexx.sinusbot.com). When you open 104.18.40.220 in the browser, you see that it's a cloudflare server, which is what we use for that. Update checks run periodically, so you will see those requests frequently.
I don't know where you downloaded the version, but if it's from the official website, you should be fine.
 
Status
Not open for further replies.
Top