Re: [ossec-list] Suckit rootkit
Hi Daniel, I just tried the tip version. Compiling and updating was ok, but when I start: /var/ossec/bin/agent_control -r -a 2012/04/28 07:39:58 agent_control(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Queue not found'. 2012/04/28 07:40:13 agent_control(1301): ERROR: Unable to connect to active response queue. ** Unable to connect to remoted. Mike 2012/4/26 Daniel Cid daniel@gmail.com It should be fixed on the latest snapshot here: https://bitbucket.org/dcid/ossec-hids/overview Can you try it out and see if it works? On Tue, Apr 24, 2012 at 4:25 PM, Eero Volotinen eero.voloti...@iki.fi wrote: 2012/4/24 Mike Sievers saturnge...@googlemail.com: Hi, ossec version is 2.6 md5sum: 5a8582fbad878819fdcc598d15902b57 /sbin/init (dont´t know yet if it is ok) Mike 2012/4/23 dan (ddp) ddp...@gmail.com What version of OSSEC? Does the md5 or sha for /sbin/init match what it should? On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers saturnge...@googlemail.com wrote: Hi List, on my opensuse 12.1 I found: Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' (Suckit rootkit). I hope this is false positive, isn´t it? And some alerts like this: File '/dev/.sysconfig/network/config-lo' present on /dev. Possible hidden file. ??? How about checking from package manager: rpm -qf /sbin/init (what provides that package) rpm --verify package-name example from centos 6.2 [root@xxx ~]# rpm -qf /sbin/init upstart-0.6.5-10.el6.x86_64 [root@xx ~]# rpm -V upstart -- Eero
[ossec-list] Re: Ossec 2.6 Compile errors on Mac Os 10.7.3
ahahah i can feel a little bit of disappointing in your answer. My bad, i'm sorry, i didn't notice that i was using llvm compiler. I have changed it with the REAL gcc and now it works!!! :) thank you dan On 27 Apr, 20:49, dan (ddp) ddp...@gmail.com wrote: Use the real gcc instead of Apple's llvm/clang/whatever it is these days.
[ossec-list] ossec-syscheckd and ossec-rootcheck (1210): ERROR: Queue
hi, I have installed ossec 2.6 server on a Mac 10.7.3. i tried to run ossec with ossec-control start but it gave me some errors that i fixed adding the 3 ossec users: ossec, ossecr, ossecm and the group ossec. This time the error i got is : Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... 2012/04/29 01:40:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:04 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:15 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:30 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:42:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. surfing on the various answers on internet i think that the problems are the permission and the files owners/group. I have all the utilities and files, within /var/ossec, with root owner: dr-xr-x--- 3 root wheel 102 28 Apr 10:27 active-response dr-xr-x--- 14 root wheel 476 28 Apr 10:27 agentless dr-xr-x--- 27 root wheel 918 28 Apr 10:27 bin dr-xr-x--- 8 root wheel 272 28 Apr 10:27 etc drwxr-x--- 6 root wheel 204 28 Apr 10:27 logs dr-xr-x--- 11 root wheel 374 28 Apr 10:27 queue dr-xr-x--- 64 root wheel 2176 28 Apr 10:27 rules drwxr-x--- 2 root wheel68 28 Apr 10:27 stats dr-xr-x--- 2 root wheel68 28 Apr 10:27 tmp dr-xr-x--- 3 root wheel 102 29 Apr 01:42 var Now, I don't know if the problem is really caused by permissions error or something else, furthermore i don't know what owner and group each single file need to, so I can't fix it manually. If the problems are the files permission so can anyone tell me every sigle file what owner and permissions i have to assign to it? thank you!!! Gappa
Re: [ossec-list] ossec-syscheckd and ossec-rootcheck (1210): ERROR: Queue
Now that the users and group are added, I would delete the /var/ossec, and reinstall. On Apr 28, 2012 7:58 PM, Gappa gapp...@gmail.com wrote: hi, I have installed ossec 2.6 server on a Mac 10.7.3. i tried to run ossec with ossec-control start but it gave me some errors that i fixed adding the 3 ossec users: ossec, ossecr, ossecm and the group ossec. This time the error i got is : Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... 2012/04/29 01:40:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:04 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:15 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:30 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:42:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. surfing on the various answers on internet i think that the problems are the permission and the files owners/group. I have all the utilities and files, within /var/ossec, with root owner: dr-xr-x--- 3 root wheel 102 28 Apr 10:27 active-response dr-xr-x--- 14 root wheel 476 28 Apr 10:27 agentless dr-xr-x--- 27 root wheel 918 28 Apr 10:27 bin dr-xr-x--- 8 root wheel 272 28 Apr 10:27 etc drwxr-x--- 6 root wheel 204 28 Apr 10:27 logs dr-xr-x--- 11 root wheel 374 28 Apr 10:27 queue dr-xr-x--- 64 root wheel 2176 28 Apr 10:27 rules drwxr-x--- 2 root wheel68 28 Apr 10:27 stats dr-xr-x--- 2 root wheel68 28 Apr 10:27 tmp dr-xr-x--- 3 root wheel 102 29 Apr 01:42 var Now, I don't know if the problem is really caused by permissions error or something else, furthermore i don't know what owner and group each single file need to, so I can't fix it manually. If the problems are the files permission so can anyone tell me every sigle file what owner and permissions i have to assign to it? thank you!!! Gappa
[ossec-list] Re: ossec-syscheckd and ossec-rootcheck (1210): ERROR: Queue
done, and now it works. thanks again dan! On 29 Apr, 01:59, dan (ddp) ddp...@gmail.com wrote: Now that the users and group are added, I would delete the /var/ossec, and reinstall. On Apr 28, 2012 7:58 PM, Gappa gapp...@gmail.com wrote: hi, I have installed ossec 2.6 server on a Mac 10.7.3. i tried to run ossec with ossec-control start but it gave me some errors that i fixed adding the 3 ossec users: ossec, ossecr, ossecm and the group ossec. This time the error i got is : Starting OSSEC HIDS v2.6 (by Trend Micro Inc.)... Started ossec-maild... Started ossec-execd... Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... 2012/04/29 01:40:49 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:04 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:15 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:41:30 ossec-rootcheck(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'No such file or directory'. 2012/04/29 01:41:46 ossec-syscheckd(1210): ERROR: Queue '/var/ossec/ queue/ossec/queue' not accessible: 'Queue not found'. 2012/04/29 01:42:01 ossec-rootcheck(1211): ERROR: Unable to access queue: '/var/ossec/queue/ossec/queue'. Giving up.. surfing on the various answers on internet i think that the problems are the permission and the files owners/group. I have all the utilities and files, within /var/ossec, with root owner: dr-xr-x--- 3 root wheel 102 28 Apr 10:27 active-response dr-xr-x--- 14 root wheel 476 28 Apr 10:27 agentless dr-xr-x--- 27 root wheel 918 28 Apr 10:27 bin dr-xr-x--- 8 root wheel 272 28 Apr 10:27 etc drwxr-x--- 6 root wheel 204 28 Apr 10:27 logs dr-xr-x--- 11 root wheel 374 28 Apr 10:27 queue dr-xr-x--- 64 root wheel 2176 28 Apr 10:27 rules drwxr-x--- 2 root wheel 68 28 Apr 10:27 stats dr-xr-x--- 2 root wheel 68 28 Apr 10:27 tmp dr-xr-x--- 3 root wheel 102 29 Apr 01:42 var Now, I don't know if the problem is really caused by permissions error or something else, furthermore i don't know what owner and group each single file need to, so I can't fix it manually. If the problems are the files permission so can anyone tell me every sigle file what owner and permissions i have to assign to it? thank you!!! Gappa