Hi Clayton, It seems to be a false positive. Basically, ossec tries the following:
-Open every directory on the system and list the files (readdir). -For every file that it found on "readdir", it tries the *stat call to see if the system can see it too. *http://www.openbsd.org/cgi-bin/man.cgi?query=stat&sektion=2 Some kernel level rootkits, "hijack" the stat system call, hiding the file from it, but they do not hide it from readdir... More info about rootcheck: http://www.ossec.net/dcid/?p=25 Anyway, since it is a cache file, I wouldn't be too concerned about it. If you want to do not receive these messages anymore, create a local rule ignoring it: <rule id="100450" level="0"> <if_sid>510</if_sid> <match>Anomaly detected in file '/usr/local/apache2/htdocs/janeway/cache</match> <description>Ignored rootcheck message</description> </rule> http://www.ossec.net/wiki/index.php/Know_How:Ignore_Rules hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 6/7/07, Clayton Dillard <[EMAIL PROTECTED]> wrote: > > Can someone provide some insight into why this alert is being fired? I get > a lot of these alerts every day. > > Anomaly detected in file > '/usr/local/apache2/htdocs/janeway/cache/cache_94afbfb2f291e0bf253fcf222e9d238e_1af853019d87ece6588c780714841e9b'. > Hidden from stats, but showing up on readdir. Possible kernel level rootkit. > > What "stats" is the alert referring to? > > Thanks, > > -- > Clayton Dillard <[EMAIL PROTECTED]> > RPS Technology, LLC
