Peter,
I can confirm that all of my SuSE10.2 boxes with ossec (5) have had
the same alerts, some of them with no network conectivtiy before ossec
was installed. So yes, I believe this is a false positive.
v/r
Scott
On Fri, 2007-03-30 at 03:18 +0800, Peter Kaye wrote:
> Hi All,
>
> I spoke with Hanashi on the IRC channel and he held my hand through a few
> alerts that appeared in my mailbox. This alert appeared on both of my (quite
> recently installed) SuSE 10.2 systems. SuSE 10.2 comes with the chess
> program Phalanx installed by default and it cannot be easily removed due to
> dependencies. Can you confirm this as a false positive. I also encountered
> the ZK Rootkit warning which appears to already have been noted as a false
> positive for SuSE 10.1, so it appears this has not changed in 10.2 (the alert
> for that is not shown in this list).
>
> Thankyou all for your patience.
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/ready-eth0' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/ifup-eth0' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/if-eth0' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/ifup-lo' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/if-lo' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/network' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/tmp/test' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/ready-lo' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/config-lo' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/config-eth0' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/new-stamp-2' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:23:57
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> File '/dev/shm/sysconfig/new-stamp-1' present on /dev. Possible hidden file.
>
>
>
> --END OF NOTIFICATION
>
>
>
> OSSEC HIDS Notification.
> 2007 Mar 30 02:24:00
>
> Received From: holocron->rootcheck
> Rule: 14 fired (level 8) -> "Rootkit detection engine message"
> Portion of the log(s):
>
> Rootkit 'PHALANX' detected by the presence of file '/usr/bin/phalanx'.
>
G E Scott Knauss
[EMAIL PROTECTED] or
[EMAIL PROTECTED]
ECRNOC Naples, IT
[EMAIL PROTECTED]
Lead Network Engineer
DSN:
314-626-4854
Comm:
39-081-568-4854
Cell:
39-333-224-9323
