Hi Chad, If you run "netstat" do you see the ports 21 and 25 being listed? If you run "netcat" can you bind to those ports?
OSSEC basically tries to bind() to it and if it can't, it means that the port is in use. We then check on netstat to see if it is being reported. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Oct 6, 2009 at 6:38 PM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > > > On Tue, 6 Oct 2009 12:40:39 -0700 (PDT), Chad Glynn <cglynn2...@yahoo.com> > wrote: >> Ive been running ossec in our environment for a year and a half >> now, and have run into a rootcheck alert behavior on one of my systems > over >> the last week I have not seen before on any of my systems. > > What changed in the environment that you know of? Were any new > applications installed? > >> 1. ive verified only one netstat running on the system. its been > monitored >> by ossec since the agent was installed on the system a year ago and the >> file has been unchanged. >> 2. ive compared the kernel modules (ls and checksums of *.ko files in >> /lib) in this system and a like system and there is no difference. >> 3. ive run lsof and netstat commands and was able to recreate the > problem >> with only two of the ports and not all 19 as rootcheck has been able to > do >> daily. > > If the system truly is rooted, all of those steps may be for naught. How > do you know the tools you're using to do the verification haven't been > modified? How do you know the kernel is telling you the truth? > > I would take the system offline immediately, take a forensically sound > image and examine the checksums from a known-good system. While it's down, > it also wouldn't be a bad idea to run chkrootkit and/or rootkit hunter from > a live CD. > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com > Information Security, Privacy and Personal Liberty >
