[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Sun, 9 Sep 2007 21:54:07 -0300
Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.166.183 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=TChs8V8tAsW8w9teT/UZryCPCmSayD+dmMWno7g3l8M=; b=dgkHwcvA70Zh6vDb8bkoJwjEoiAvvL+lDZ2xKArBzTCPF4xfV/Z4aiI3NFNM0ifzC8cAsPEAvxn6hMS0gnxDUIjH87IRE4Zr8F7XOsm75DSbxhviqvdrZIzeMLcbS8OvBEcr1SQz3Qy+dSCF8YDRmUOxLfgGbaUkzD2wQy5Pz/c=

Hi Peter,

If you are running Linux, it can very well be a false positive caused
by a weird behavior of the Linux kernel (and a broken application
binding but not listening to the socket). Take
a look at the following blog entry:

http://www.ossec.net/dcid/?p=87
http://www.ossec.net/ossec-list/2007-August/msg00154.html

Is anyone interested in adding this information to the wiki faq? More
and more people are
having similar issues lately...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 9/6/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings Steve:
>
> I finally got around to installing the latest nmap and checking nmap.
>
> PORT     STATE SERVICE    VERSION
> 21/tcp   open  ftp        ProFTPD 1.3.0a
> 22/tcp   open  ssh        OpenSSH 3.6.1p2 (protocol 2.0)
> 25/tcp   open  smtp       qmail smtpd
> 53/tcp   open  domain
> 80/tcp   open  http       Apache httpd
> 110/tcp  open  pop3       qmail pop3d
> 143/tcp  open  imap       Courier Imapd (released 2005)
> 443/tcp  open  http       Apache httpd
> 587/tcp  open  smtp       qmail smtpd
> 953/tcp  open  rndc?
> 3306/tcp open  mysql      MySQL 5.0.45-community-log
> 5001/tcp open  apc-agent  APC PowerChute agent
> 5432/tcp open  postgresql PostgreSQL DB
> 8009/tcp open  ajp13?
> 8080/tcp open  http       Apache httpd
> 8443/tcp open  http       Apache httpd
>
> Yet, ossec-rootcheck shows
>
> [FAILED]: Port '40773'(tcp) hidden. Kernel-level rootkit or trojaned
> version of netstat.
>
> Thank you.
>
>

Follow-Ups:
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Jason Little
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Peter M. Abraham

References:
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Peter M. Abraham

Prev by Date: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Next by Date: [ossec-list] Re: Install OSSEC to /: it's possible?
Previous by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Next by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.