Update on subject... What i did since last email:
-disabled prelinker (removed it from cron.daily) -mounted centos 5.3 live cd as read only and copied netstat and some other binaries over existing ones -started auditing on netstat and other binaries... But today again ossec reported rootkit detection hidden tcp: ----- 2009 Aug 03 06:32:28 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '58536'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Aug 03 06:32:25 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '51156'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Aug 03 06:32:23 Rule Id: 510 level: 7 Location: sytech->rootcheck Host-based anomaly detection event (rootcheck). Port '47873'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. --- Ausearch -f /bin/netstat shows activity at these hours, but i cant get any useful information out of it: ------------ log here: http://www.filedropper.com/audit-netstat ------------ I read most of ossec archive's mails on subject, but i am afraid that this is not false-positive, as it is periodic (every 1-2 days). Remembering back - the only suspecious file i ran on this box was the "vmware-linux-keygen"... which might be what infected this box. If anyone has any idea what to do to neutralize it, please let me know or email me at jaka.mele AT g mail... thanks
