[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?

To: <ossec-list@xxxxxxxxxxxxxxxx>
Subject: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
From: "Jason Little" <jlittle@xxxxxxxxxxxxxxxx>
Date: Mon, 10 Sep 2007 10:34:58 -0400
Authentication-results: mx.google.com; spf=pass (google.com: domain of jlittle@xxxxxxxxxxxxxxxx designates 216.7.204.103 as permitted sender) smtp.mail=jlittle@xxxxxxxxxxxxxxxx
Thread-index: AcfzSTdXqtGcwn73RFSCBVBS6KIBrwAbZqXw

I had this same thing happen when one of my jboss servers went a little
crazy and started opening all sorts of ports to my oracle server.  Try a
netstat -napt to see whats listening on the various ports on the server and
what connections are established to the server.

Jason Little
Network Administrator
Mint Inc 

-----Original Message-----
From: ossec-list@xxxxxxxxxxxxxxxx [mailto:ossec-list@xxxxxxxxxxxxxxxx] On
Behalf Of Daniel Cid
Sent: Sunday, September 09, 2007 8:54 PM
To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I
verify if this is a false positive or not?


Hi Peter,

If you are running Linux, it can very well be a false positive caused by a
weird behavior of the Linux kernel (and a broken application binding but not
listening to the socket). Take a look at the following blog entry:

http://www.ossec.net/dcid/?p=87
http://www.ossec.net/ossec-list/2007-August/msg00154.html

Is anyone interested in adding this information to the wiki faq? More and
more people are having similar issues lately...

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 9/6/07, Peter M. Abraham <peter.m.abraham@xxxxxxxxx> wrote:
>
> Greetings Steve:
>
> I finally got around to installing the latest nmap and checking nmap.
>
> PORT     STATE SERVICE    VERSION
> 21/tcp   open  ftp        ProFTPD 1.3.0a
> 22/tcp   open  ssh        OpenSSH 3.6.1p2 (protocol 2.0)
> 25/tcp   open  smtp       qmail smtpd
> 53/tcp   open  domain
> 80/tcp   open  http       Apache httpd
> 110/tcp  open  pop3       qmail pop3d
> 143/tcp  open  imap       Courier Imapd (released 2005)
> 443/tcp  open  http       Apache httpd
> 587/tcp  open  smtp       qmail smtpd
> 953/tcp  open  rndc?
> 3306/tcp open  mysql      MySQL 5.0.45-community-log
> 5001/tcp open  apc-agent  APC PowerChute agent 5432/tcp open  
> postgresql PostgreSQL DB 8009/tcp open  ajp13?
> 8080/tcp open  http       Apache httpd
> 8443/tcp open  http       Apache httpd
>
> Yet, ossec-rootcheck shows
>
> [FAILED]: Port '40773'(tcp) hidden. Kernel-level rootkit or trojaned 
> version of netstat.
>
> Thank you.
>
>

References:
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Peter M. Abraham
- [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Sending agents logs every 30 min
Next by Date: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Previous by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Next by thread: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not?
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.