Hi Neil, What applications are you running on this box? Linux have a weird "bug" that can cause this alert to happen if any application is not behaving properly (binding to a TCP port, but not listening to it).
Take a look at: http://www.ossec.net/dcid/?p=87 Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Feb 15, 2008 1:47 PM, Neil Ridlinghafer <[EMAIL PROTECTED]> wrote: > > Hi, > > I've been looking around on google and this appears to be a port used > for trinoo and DDos but I can't figure out or find any tools for > detecting these on linux. Anyone have any suggestions how I can verify > or any suggestions for a good rootkit/anti-virus for linux that can > detect these? > > Thanks, > __neil > > -----Original Message----- > From: OSSEC HIDS [mailto:[EMAIL PROTECTED] > Sent: Friday, February 15, 2008 7:07 AM > To: netops > Subject: OSSEC Notification - blade-gw-01 - Alert level 7 > > OSSEC HIDS Notification. > 2008 Feb 15 07:06:22 > > Received From: blade-gw-01->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Port '34555'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > > > --END OF NOTIFICATION > > > >
