[ossec-list] Re: rootkit or trojaned version netstat alerts

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

That might also be the problem (bug in the linux kernel):

from: http://www.ossec.net/dcid/?p=87

"
If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I
may have figured out one of the possible causes today (and no, it is
not a rootkit). To keep the story short: if you bind any TCP port, but
do not listen on it, netstat will not show it at all (the same does
not happen with UDP ports).

Here is the idea. If you get this simple C program, it will attempt to
bind every TCP port from 1025 to 1050, but it will not listen on them.
After it is done, if you do a netstat (or fuser or lsof) nothing will
be shown. However, if you try to use the port, you will get an error
saying that it is already in use.
"

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 7/26/07, Ken A <ka@xxxxxxxxxxx> wrote:
>
> Clayton Dillard wrote:
> > I've received several alerts from one host where ossec is telling me
> > that due to several ephemeral, hidden TCP ports being open/listening
> > that the box might be rooted or have a trojaned netstat.  I've run
> > chkrootkit and the system passes.  It's true that netstat does not see
> > these ports in use.  How can I verify this and how accurate is the ossec
> > alert/check?
> >
> > Here's an example alert from OSSEC:
> >
> > OSSEC HIDS Notification.
> > 2007 Jul 25 12:03:50
> >
> > Received From: (BOXEN01) 1.2.3.4->rootcheck
> > Rule: 510 fired (level 7) -> "Host-based anomaly detection event
> > (rootcheck)."
> > Portion of the log(s):
> >
> > Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of
> > netstat.
> >
> >
> >
> >  --END OF NOTIFICATION
> >
> >
> > Thanks,
>
> If you have a busy server that runs a daemon that opens and closes high
> ports quickly, ossec can generate false positives on this rule. I see it
> fairly often with ftp & smtp.
> Ken
>
>
> --
> Ken Anderson
> Pacific.Net
>