Hi All, I spoke with Hanashi on the IRC channel and he held my hand through a few alerts that appeared in my mailbox. This alert appeared on both of my (quite recently installed) SuSE 10.2 systems. SuSE 10.2 comes with the chess program Phalanx installed by default and it cannot be easily removed due to dependencies. Can you confirm this as a false positive. I also encountered the ZK Rootkit warning which appears to already have been noted as a false positive for SuSE 10.1, so it appears this has not changed in 10.2 (the alert for that is not shown in this list).
Thankyou all for your patience. OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/ready-eth0' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/ifup-eth0' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/if-eth0' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/ifup-lo' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/if-lo' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/network' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/tmp/test' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/ready-lo' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/config-lo' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/config-eth0' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/new-stamp-2' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:23:57 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): File '/dev/shm/sysconfig/new-stamp-1' present on /dev. Possible hidden file. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Mar 30 02:24:00 Received From: holocron->rootcheck Rule: 14 fired (level 8) -> "Rootkit detection engine message" Portion of the log(s): Rootkit 'PHALANX' detected by the presence of file '/usr/bin/phalanx'.
