Hello I have centos 5.3 and latest version of ossec as of (07-28-2009)... I got several "rootkit detected" alerts, but I am a bit puzzled since this linux is fairly new install (10 days) and nothing suspecious has been run on it...
These are the alerts i get: -------- Alert list 2009 Jul 31 17:56:21 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '40118'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Jul 31 17:56:19 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '35054'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. Old md5sum was: 'b4f6ebd7179c8cc9d2cceedd1c69eac8' New md5sum is : '58f34cf2632d70b316c22d25742876f8' Old sha1sum was: '106346799f40106fe1b6295355b2cbbde21aa9d3' New sha1sum is : 'eb3e79320d2ab3eb281e24ba191dcf230563afc6' 2009 Jul 30 10:39:34 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '49040'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Jul 30 10:39:21 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '37538'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. New md5sum is : '9784afbdca5a5a7846c7e95d6324542b' Old sha1sum was: 'a8f5b4640194c68c4238fdaf5dd4cc0f6bc81a4b' New sha1sum is : '4bb61896f16ba3fbca26cff10d42faa336ef76db' 2009 Jul 29 20:34:00 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '49381'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Jul 29 20:33:42 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '34007'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. Old md5sum was: '5fc90b0075d53b39a18cae61f476338a' New md5sum is : '9ca373fb743fe54c667ee65aeb5c44e4' Old sha1sum was: '7c8da625a5d701a474766418779ac24f856e00b1' New sha1sum is : '45bdd371b3613979dbae5d9a719c458ff7705244' ----- Is it possible that this is some kind of false positive? I wanted to confirm worm/rootkit/hack, and run auditd yesterday, monitoring the /bin folder... First i ran it with empty key (-p e) and auditor did not detect anything on netstat binary. Today i created new rule (auditctl -w /bin/netstat -k netstat -p rwxa) so i hope i will catch something next time i get alerted by ossec. Also I downloaded lynis and rkhunter and chkrootkit - none of them detected anything. Furthermore i read older messages on ossec group's list, and found few suggestions on hacked netstat detection (http://www.mail-archive.com/ [email protected]/msg02073.html) andi tried it (ls -asli / bin | sort) - i listed inodes on files in /bin - and netstat's is similar to others (it does not jump out): [r...@sytech bin]# ls -asli /bin | sort | grep -10 netstat 133529650 68 -rwxr-xr-x 3 root root 62100 May 28 2008 gunzip 133529650 68 -rwxr-xr-x 3 root root 62100 May 28 2008 gzip 133529650 68 -rwxr-xr-x 3 root root 62100 May 28 2008 zcat 133529651 12 -rwxr-xr-x 1 root root 11168 Jan 21 2009 kill 133529652 84 -r-xr-xr-x 1 root root 79004 Jan 21 2009 ps 133529653 8 -rwxr-xr-x 1 root root 8008 Jan 21 2009 raw 133529654 28 -rwsr-xr-x 1 root root 23960 Jan 21 2009 su 133529655 1076 -rwxr-xr-x 1 root root 1094052 Jan 21 2009 ksh 133529656 20 -rwxr-xr-x 1 root root 18192 Jan 21 2009 link 133529657 20 -rwxr-xr-x 1 root root 19564 Jan 21 2009 sleep 133529658 124 -rwxr-xr-x 1 root root 121300 May 25 2008 netstat 133529659 40 -rwxr-xr-x 1 root root 37264 Feb 26 22:59 traceroute 133529660 12 -rwxr-xr-x 1 root root 10200 Jan 21 2009 taskset 133529661 8 -rwxr-xr-x 1 root root 7736 Jan 21 2009 kbd_mode 133529662 4 lrwxrwxrwx 1 root root 8 Jul 1 20:03 dnsdomainname -> hostname 133529663 4 lrwxrwxrwx 1 root root 8 Jul 1 20:03 domainname -> hostname 133529664 20 -rwxr-xr-x 1 root root 20024 Jan 21 2009 uname 133529665 8 -rwxr-xr-x 1 root root 7760 Mar 3 19:09 fipscheck 133529666 4 lrwxrwxrwx 1 root root 8 Jul 1 20:03 nisdomainname -> hostname 133529667 4 lrwxrwxrwx 1 root root 8 Jul 1 20:03 ypdomainname -> hostname 133529668 4 lrwxrwxrwx 1 root root 3 Jul 1 20:03 gtar -> tar Also nmap portscan of machine shows no suspecius open ports... Doing "strings" on netstat binary and greping for these port numbers also showes nothing. I should probbably tell that i am running vmware on this machine, with winxp guest OS, which has internet connection... could this be responsible some false alerts? Another thing - there are two HDDs in machine, and SOFTWARE RAID 1 done over them (could this be it?) I am using stock kernel from centos (latest yum update since 8 days ago), did only compile kernel level module support for vmware.. [r...@sytech etc]# uname -a Linux XXX.XXX 2.6.18-128.2.1.el5PAE #1 SMP Tue Jul 14 07:15:01 EDT 2009 i686 i686 i386 GNU/Linux [r...@sytech etc]# more /etc/redhat-release CentOS release 5.3 (Final) I am just downloading the centos 5.3 live cd, and will take netstat binary off of it and use it, also will try booting old (orig) kernel and see what happens... So, what else to do, to solve this mistery? I welcome any suggestions. thanks, Jaka
