Hi, Do you have large VMs running on this box? The only reason I can think is that you have very large files that take a while to generate the md5/sha1 checksum. Anyone else seeing this behavior?
*btw, can you provide more information to us? ( http://www.ossec.net/wiki/index.php/Community_manual:BugReport ) Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, Jun 27, 2008 at 11:37 AM, carlopmart <[EMAIL PROTECTED]> wrote: > > Please any hints about this?? > > carlopmart wrote: >> Hi Daniel, >> >> I have compiled and executed ossec-rootchek with these results: >> >> [EMAIL PROTECTED] rootcheck-1.5]$ sudo ./ossec-rootcheck >> >> ** Starting Rootcheck v1.5 by Daniel B. Cid ** >> ** http://www.ossec.net/en/about.html#dev-team ** >> ** http://www.ossec.net/rootcheck/ ** >> >> Be patient, it may take a few minutes to complete... >> >> [INFO]: Starting rootcheck scan. >> >> [OK]: No presence of public rootkits detected. Analyzed 270 files. >> >> [OK]: No binaries with any trojan detected. Analyzed 79 files. >> >> [OK]: No problem detected on the /dev directory. Analyzed 267 files >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/vixwrapper-config.txt' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-2/64bit/README.txt' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-2/64bit/libvix.so' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-5/64bit/README.txt' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-5/64bit/libvix.so' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/libvixAllProducts.so' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-3/64bit/README.txt' is: >> - owned by root, >> - has written permissions to anyone. >> >> [FAILED]: File '/usr/lib/vmware-vix/lib/ws-3/64bit/libvix.so' is: >> - owned by root, >> - has written permissions to anyone. >> >> [ERR]: Check the following files for more information: >> rootcheck-rw-rw-rw-.txt (list of world writable files) >> rootcheck-rwxrwxrwx.txt (list of world writtable/executable files) >> rootcheck-suid-files.txt (list of suid files) >> >> [OK]: No hidden process by Kernel-level rootkits. >> /bin/ps is not trojaned. Analyzed 32768 processes. >> >> [OK]: No kernel-level rootkit hiding any port. >> Netstat is acting correctly. Analyzed 131072 ports. >> >> [OK]: The following ports are open: >> 22 (tcp),25 (tcp),123 (udp) >> >> [OK]: No problem detected on ifconfig/ifs. Analyzed 2 interfaces. >> >> >> - Scan completed in 7 seconds. >> >> [INFO]: Ending rootcheck scan. >> >> No, my cpu never goes down ... >> >> Daniel Cid wrote: >>> Hi, >>> >>> Can you download rootcheck (it runs with syscheck on ossec) and run it >>> manually? We fixed >>> a few things on it, so that might be causing the issue. >>> >>> Get it from (even tough it says 1.5, it is based on the 1.5.1 code) >>> http://www.ossec.net/en/rootcheck.html >>> >>> *Note that very few things changed from 1.5 to 1.5.1, so could this >>> problem be there before >>> and you never noticed? Also, does the CPU goes down after a while? >>> >>> >>> Thanks, >>> >>> -- >>> Daniel B. Cid >>> dcid ( at ) ossec.net >>> >>> >>> On Sun, Jun 22, 2008 at 7:57 AM, carlopmart <[EMAIL PROTECTED]> wrote: >>>> carlopmart wrote: >>>>> Hi all, >>>>> >>>>> Tody I have installed ossec 1.5.1. When syscheckd process starts >>>>> consumes all free cpu usage (sometimes arrives to 99% or 100%)... Using >>>>> ossec 1.5, syscheckd doesn't produce this type of problem ... How can I >>>>> fix this?? >>>>> >>>>> Many thanks. >>>> Please, any hints?? >>>> >>>> -- >>>> CL Martinez >>>> carlopmart {at} gmail {d0t} com >>>> >>> >> >> > > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >
