[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: rootkit or trojaned version netstat alerts

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: rootkit or trojaned version netstat alerts
From: Ken A <ka@xxxxxxxxxxx>
Date: Thu, 26 Jul 2007 09:41:45 -0500

Clayton Dillard wrote:
> I've received several alerts from one host where ossec is telling me
> that due to several ephemeral, hidden TCP ports being open/listening
> that the box might be rooted or have a trojaned netstat.  I've run
> chkrootkit and the system passes.  It's true that netstat does not see
> these ports in use.  How can I verify this and how accurate is the ossec
> alert/check?
> 
> Here's an example alert from OSSEC:
> 
> OSSEC HIDS Notification.
> 2007 Jul 25 12:03:50
> 
> Received From: (BOXEN01) 1.2.3.4->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> (rootcheck)."
> Portion of the log(s):
> 
> Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of
> netstat.
> 
> 
> 
>  --END OF NOTIFICATION
> 
> 
> Thanks,

If you have a busy server that runs a daemon that opens and closes high 
ports quickly, ossec can generate false positives on this rule. I see it 
fairly often with ftp & smtp.
Ken


-- 
Ken Anderson
Pacific.Net

Follow-Ups:
- [ossec-list] Re: rootkit or trojaned version netstat alerts
  - From: Daniel Cid

References:
- [ossec-list] rootkit or trojaned version netstat alerts
  - From: Clayton Dillard

Prev by Date: [ossec-list] Re: No SMTP
Next by Date: [ossec-list] Re: Active Response behind a load balancer
Previous by thread: [ossec-list] Re: rootkit or trojaned version netstat alerts
Next by thread: [ossec-list] Re: rootkit or trojaned version netstat alerts
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.