[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: Possible kernel level rootkit and wui0.2

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: Possible kernel level rootkit and wui0.2
From: "Thanh Han The" <hanthethanh@xxxxxxxxx>
Date: Wed, 4 Apr 2007 17:42:28 +0200
Content-disposition: inline
Content-transfer-encoding: 7bit
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=WjkEp3ZWZNWsZqJK3uiYktbukvnrgXk4qlGK5X6aO5yTkQRahhT1jpQ1IzMWz1ucE4E65KWrfLDlPfDlr44q13ekzfKoQZr/nEyIopl7mtH5o9VlaL4+3IYhsa+lt0jo6rXrgVi+VQS5HCpNic6/Zscl8UwouyKcg8lejQsE4vw=


On Wed, Apr 04, 2007 at 11:49:03AM +0200, Sebastian Esch wrote:


hi all!

I just set up an new virtuozzo virtual server with debian3.1 and plesk
8.1.1.
since i used ossec before i installed the new version including the wui.
2 problems:

1. I get messages saying:

Received From: xxxxxxxxxxx->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Process 'xxxxx' hidden from /proc. Possible kernel level rootkit.

serveral times


I am running openvz and getting the same problem, however
from /proc on the hardware node but from the /proc of the
VPS (for example /var/vz/2001/root/proc). I got rid of it by
moving the vps to /opt.

HTH,
Thanh

Prev by Date: [ossec-list] Re: Possible kernel level rootkit and wui0.2
Next by Date: [ossec-list] How do you configure ossec send unknown log messages to you?
Previous by thread: [ossec-list] Re: Possible kernel level rootkit and wui0.2
Next by thread: [ossec-list] How do you configure ossec send unknown log messages to you?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.