I've received several alerts from one host where ossec is telling me that due to several ephemeral, hidden TCP ports being open/listening that the box might be rooted or have a trojaned netstat. I've run chkrootkit and the system passes. It's true that netstat does not see these ports in use. How can I verify this and how accurate is the ossec alert/check?
Here's an example alert from OSSEC: OSSEC HIDS Notification. 2007 Jul 25 12:03:50 Received From: (BOXEN01) 1.2.3.4->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. --END OF NOTIFICATION Thanks, -- Clayton Dillard <[EMAIL PROTECTED]> RPS Technology, LLC
