[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
From: David Vasil <dmvasil@xxxxxxxx>
Date: Fri, 07 Sep 2007 08:36:48 -0400
Authentication-results: mx.google.com; spf=pass (google.com: best guess record for domain of dmvasil@xxxxxxxx designates 160.91.4.119 as permitted sender) smtp.mail=dmvasil@xxxxxxxx

Peter M. Abraham wrote:
> Greetings Steve:
> 
> I finally got around to installing the latest nmap and checking nmap.
> 
> PORT     STATE SERVICE    VERSION
> 21/tcp   open  ftp        ProFTPD 1.3.0a
> 22/tcp   open  ssh        OpenSSH 3.6.1p2 (protocol 2.0)
> 25/tcp   open  smtp       qmail smtpd
> 53/tcp   open  domain
> 80/tcp   open  http       Apache httpd
> 110/tcp  open  pop3       qmail pop3d
> 143/tcp  open  imap       Courier Imapd (released 2005)
> 443/tcp  open  http       Apache httpd
> 587/tcp  open  smtp       qmail smtpd
> 953/tcp  open  rndc?
> 3306/tcp open  mysql      MySQL 5.0.45-community-log
> 5001/tcp open  apc-agent  APC PowerChute agent
> 5432/tcp open  postgresql PostgreSQL DB
> 8009/tcp open  ajp13?
> 8080/tcp open  http       Apache httpd
> 8443/tcp open  http       Apache httpd
> 
> Yet, ossec-rootcheck shows
> 
> [FAILED]: Port '40773'(tcp) hidden. Kernel-level rootkit or trojaned
> version of netstat.
> 
> Thank you.
> 

What were the arguments you passed to nmap?  The default port range for
nmap is 1-1024 and any additional ports defined by the nmap services
file.  This could be one reason why nmap only shows those ports open yet
ossec reports a higher port in use.

-- 
-dave

Follow-Ups:
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Peter M. Abraham

References:
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Peter M. Abraham

Prev by Date: [ossec-list] OSSEC wui - No Agents visible.
Next by Date: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Previous by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Next by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.