[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: rootkit or trojaned version netstat alerts

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: rootkit or trojaned version netstat alerts
From: "Dave Lowe" <seclistinbox@xxxxxxxxx>
Date: Thu, 26 Jul 2007 14:00:51 +1100
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references; b=t5TPdBenkDgGvK85YMYejSO6V/At7Mvvib1o/7ykkDriK4pvn20kyI32x85PbNPov03/u+605khvjt1R0Iek7pQ2lolKtyiom5DFLQy8IWlKpAANq/w2OpYfsjKyqPrzkv6kqIj+znJJf+14MC3c6MJBbjICl1GV3yPA1aOQaBY=

Hi Clayton

Is the server actually listening on TCP 33477?
Check your firewall logs for connections to that server:port.
Run a portscan against that server from another host on the same subnet.
ie #nmap -sT -p 33477 1.2.3.4

IF your server is compromised with a rootkit and is listening on TCP 33477 or any other hidden ports for that matter, do not continue with my following suggestions :) If your server is compromised, you should take an image of it before continuing and perform these checks on the image.

On the server, you can check the inode for netstat binary.
1. Locate the directory that the netstat binary is in:
# which netstat
/bin/netstat

2. Check the inodes for files in /bin
# ls -asli /bin | sort
example:
2146377 104 -rwxr-xr-x 1 root root   99456 2006-10-16 22:30 netstat
..............
2146427    8 -rwxr-xr-x 1 root root    4137 2007-01-17 01:19 zgrep
2146428    4 -rwxr-xr-x 1 root root    1456 2007-01-17 01:19 zless
2146429    4 -rwxr-xr-x 1 root root    2397 2007-01-17 01:19 zmore
2146430    8 -rwxr-xr-x 1 root root    4922 2007-01-17 01:19 znew

The inode for netstat should be within the same basic range as the other binaries in /bin
If netstat has been replaced as part of a rootkit, its inode will more than likely be in a complete different range to the other binaries.
ie
98772 104 -rwxr-xr-x 1 root root   99456 2006-10-16 22:30 netstat
..............
2146427    8 -rwxr-xr-x 1 root root    4137 2007-01-17 01:19 zgrep
2146428    4 -rwxr-xr-x 1 root root    1456 2007-01-17 01:19 zless
2146429    4 -rwxr-xr-x 1 root root    2397 2007-01-17 01:19 zmore
2146430    8 -rwxr-xr-x 1 root root    4922 2007-01-17 01:19 znew

You can also run a trusted netstat from a helix cdrom and see if the server really is listening on tcp 33477.
Helix: http://www.e-fense.com/helix/

Theres so many things you can do.
#strings /bin/netstat | grep 33477   would also be handy

Happy digging :)

SaintN

On 7/26/07, Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx> wrote:

I've received several alerts from one host where ossec is telling me that due to several ephemeral, hidden TCP ports being open/listening that the box might be rooted or have a trojaned netstat. I've run chkrootkit and the system passes. It's true that netstat does not see these ports in use. How can I verify this and how accurate is the ossec alert/check?

Here's an example alert from OSSEC:

OSSEC HIDS Notification.
2007 Jul 25 12:03:50

Received From: (BOXEN01) 1.2.3.4->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

--END OF NOTIFICATION

Thanks,

--
Clayton Dillard <cdillard@xxxxxxxxxxxxxxxxx>
RPS Technology, LLC

References:
- [ossec-list] rootkit or trojaned version netstat alerts
  - From: Clayton Dillard

Prev by Date: [ossec-list] Re: Ossec Problem: email_alert_level not being honored. Alert level 3 received in mail.
Next by Date: [ossec-list] Re: No SMTP
Previous by thread: [ossec-list] rootkit or trojaned version netstat alerts
Next by thread: [ossec-list] Re: rootkit or trojaned version netstat alerts
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.