Rootkit/rkhunter shows redis port 13000 as a possible backdoor

In a general safety awareness upgrade on one of my test servers, I added in a few security extras and auditing tools (eg. lynis, rkhunter, chkrootkit etc). The rkhunter produces this warning:

Warning: Network TCP port 13000 is being used by /usr/bin/redis-server. Possible rootkit: Possible Universal Rootkit (URK) SSH server

I am assuming ('cos I don’t actually know for sure) that it is only because the port matches a “known backdoor” port [chkrootkit did not find the same problem]. Perhaps someone with cybersecurity experience could comment?
This is a non-live server which I can trash if needed, and the listener is only on, so it shouldn’t be able to do much, but still… I’d rather know for sure.


Hi Trent

I am not at all informed on root kit denizens!

As for ports as entry points for threats, the idea is to be aware exactly what ports your router exposes to the web, and to strictly limit that set to recognized services - for eg ssh, https that require ports 22, 80 and 443 to be open. And for these to be running recognized software.

A scan on my site found port 13000 not open or closed but filtered.

The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed.

Here are tools, sites and info to do a security health check Test Your Router -

For example if you allow it Shieldsup here can test your site so you can be more aware of what risks you face.

What a daunting task to read up on and grasp the threat access points and how to respond.