Look:
From:
OSSEC HIDS <ossec@xxxxxxx
To:
me@xxxxxxx
Subject:
OSSEC Notification - server1 - Alert
level 10
Date:
Tue, 20 Feb 2007 11:20:10 ART
(08:20 ART)
OSSEC HIDS Notification.
2007 Feb 20 11:19:22
Received From: 192.168.0.xxx->/var/log/hosts/192.168.0.xxx/kern.log
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Feb 20 11:19:21 192.168.0.xxx kernel: ReiserFS: dm-1: warning: vs-13070:
reiserfs_read_locked_inode: i/o failure occurred trying to find stat
data of [977 91630 0x0 SD]
Just as heads up, server1 is NOT 192.168.0.xxx
cheers!
On Tue, 2007-02-20 at 11:02 -0300, Nicolas Arias wrote:
> Great Josh!, good link.
>
> Thanks!
>
> Cheers
>
> On Mon, 2007-02-19 at 15:38 -0700, Joshua Gimer wrote:
> > Here is a pretty good description of how it works.
> >
> > http://www.mail-archive.com/ossec-list@xxxxxxxxxxxxxxxx/msg01348.html
> >
> > Josh
> >
> > On 2/19/07, Nicolas Arias <nicolas.arias@xxxxxxxxxxx> wrote:
> > Hello guys.
> >
> > There weekend iv recieved 2 alerts from a busy server about
> > hidden
> > ports, both high ports.
> >
> > In that server i have oracle xe, but it shows the ports in
> > netstat.
> >
> > We had checked absolutly everything and it doesnt look bad,
> > so, i must
> > asume that those where false possitives...
> >
> > Daniel, can you put some ligth in this mistery?
> >
> > Can you explain how the rootkit detector works?, i mean, the
> > internals,
> > i will give the source code a try, but human words can
> > help :)
> >
> > Thanks!
> > Cheers!
> >
> >
> >
> > --
> > Nicolas Arias
> > Security Officer
> > +54 11 4109 1885
> > +54 9 11 5455 0055
> > nicolas.arias@xxxxxxxxxxx
> >
> >
> >
> >
> >
> >
> > --
> > Thx
> > Joshua Gimer
--
Nicolas Arias
Security Officer
+54 11 4109 1885
+54 9 11 5455 0055
nicolas.arias@xxxxxxxxxxx
Attachment:
signature.asc
Description: This is a digitally signed message part