[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] rootkit or trojaned version netstat alerts

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] rootkit or trojaned version netstat alerts
From: Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
Date: Wed, 25 Jul 2007 22:30:20 -0400
Organization: RPS Technology, LLC

I've received several alerts from one host where ossec is telling me that due to several ephemeral, hidden TCP ports being open/listening that the box might be rooted or have a trojaned netstat. I've run chkrootkit and the system passes. It's true that netstat does not see these ports in use. How can I verify this and how accurate is the ossec alert/check?

Here's an example alert from OSSEC:

OSSEC HIDS Notification.
2007 Jul 25 12:03:50

Received From: (BOXEN01) 1.2.3.4->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

--END OF NOTIFICATION

Thanks,

--
Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
RPS Technology, LLC

Follow-Ups:
- [ossec-list] Re: rootkit or trojaned version netstat alerts
  - From: Dave Lowe
- [ossec-list] Re: rootkit or trojaned version netstat alerts
  - From: Ken A

Prev by Date: [ossec-list] Re: Active Response behind a load balancer
Next by Date: [ossec-list] ESX Server Logs
Previous by thread: [ossec-list] Re: Hash algorithms
Next by thread: [ossec-list] Re: rootkit or trojaned version netstat alerts
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.