[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] ossec on lunar linux

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] ossec on lunar linux
From: Martin West <martin@xxxxxxxxxxxxxxxx>
Date: Tue, 27 Feb 2007 23:04:34 +0000
Cc: ossec-list@xxxxxxxxx
Content-transfer-encoding: 7bit


Got this error ...

Received From: andromda->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Trojaned version of file '/bin/netstat' detected. Signature used: 'bash|
^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Trojan)

and chkrootkit also flagged it but we think it is invalid ...

"I put one of my top guys on this and his analysis is that the reason
lots of rootkit-packages trigger on our netstat is that its been built
with debugging-symbols and contains the string "sockaddr.h" which most 
rootkit-checkers isn't used to seeing.

        Cheers Leif"

Thanks for a great product.

Martin West

References:
- [ossec-list] Windows Agent Issues
  - From: Rob

Prev by Date: [ossec-list] Windows Agent Issues
Next by Date: [ossec-list] Re: Windows Agent Issues
Previous by thread: [ossec-list] Windows Agent Issues
Next by thread: [ossec-list] Re: Windows Agent Issues
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.