Imagine my surprise to see this warning during my morning review of the rootkit checkers that run nightly on my boxes. The thing is, there were no other anomalies on the box aside from /usr/sbin/php5-fpm being bound to a port that was suspected of belonging to a rootkit. The fact is, by it’s nature, php5-fpm runs on ports that could potentially be the same that a rootkit is traditionally found on.
My server is configured with a fixed number of children, 64 of them. Each child will handle 20,000 requests before terminating and spawning a new child (to accommodate for any memory leaks). With this configuration, php5-fpm is terminating and spawning new children quite frequently. Each new child listens on a high port number (bunched heavily in the 40,000-49,999 range) and the potential for collision with a “rootkit port” is somewhat rare but it’s not entirely unlikely.
I did go through the motions of using lsof and netstat to peak into what was running, checked my logs, checked for abnormalities and bizarre login attempts and users. I even checked all of my sites to ensure that there were no files that didn’t marry up with the git repository and reran all of my rootkit checkers for issues. After all was said and done, I restarted php5-fpm and re-ran the rootkit checkers yet again. No issues, and no more php5-fpm listening on the suspect port.
I have been running rkhunter every 15 minutes and have been able to catch the occasional child process sitting on a suspected rootkit port. The port has been different each time and a different rootkit is being reported depending on said port. If you run portsentry like me, you’re probably no stranger to false positives from rkhunter unless you’ve added it to an allow list.
Lessons learned? I’m thankful that I run multiple rootkit checkers because it turns out only rkhunter was barking about this situation. It also didn’t bark about any changes to the php5-fpm binaries, just the fact that something was suspect on the port. Remember that “warnings” can be just that. I do plan to closely monitor the situation but from what I can tell, php5-fpm will from time to time bind to a port that’s suspected of foul play.
Anyone else ever ran into this? I’d love to hear about it, comment below!
