Thank you Dan for your answer. I have run an md5sum on my monitored server and another on an isolated machine : they are identical ... Ouf !
Thank you. Best regards. On 21 oct, 15:07, "dan (ddp)" <ddp...@gmail.com> wrote: > OSSEC tries to bind to the port and checks the output of netstat and > compares the results. If they don't match up it reports it. > This could be a sign that a process had bound to a port when it > checked the first part, and the process was dead when it tried the > second check. > > It could also mean that netstat has been changed out with a "bad" > version. Check the md5 of the netstat command to make sure it hasn't > changed. > > On Tue, Oct 19, 2010 at 10:36 AM, tux3132 <tux3...@gmail.com> wrote: > > Hi > > > I have this level 7 alert fired by #510 rule: > > > Port '40848'(tcp) hidden. Kernel-level rootkit or trojaned version of > > netstat > > > No over alerts of this level since one month ... > > > Is this a false positive ? (I hope ... ) > > > Best regards.
