I've seen this false before, many times, especially on Debian systems. Here are some MD5/SHA1 sums from Centos 5.3, 32bit, for a clean executable. If yours match then it's a false positive. This system is not pre-linked.
net-tools 1.60 netstat 1.42 (2001-04-15) Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB md5: 73d1631326c37fc944fc205e494aa12b */bin/netstat sha1: 4ab0e42277674c7a2ec5cab854a5b0c9daa2deb5 /bin/netstat jack wrote: > Update on subject... What i did since last email: > > -disabled prelinker (removed it from cron.daily) > -mounted centos 5.3 live cd as read only and copied netstat and some > other binaries over existing ones > -started auditing on netstat and other binaries... > > But today again ossec reported rootkit detection hidden tcp: > > ----- > 2009 Aug 03 06:32:28 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '58536'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > 2009 Aug 03 06:32:25 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '51156'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > 2009 Aug 03 06:32:23 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '47873'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > --- > > Ausearch -f /bin/netstat shows activity at these hours, but i cant get > any useful information out of it: > > ------------ > log here: http://www.filedropper.com/audit-netstat > ------------ > > I read most of ossec archive's mails on subject, but i am afraid that > this is not false-positive, as it is periodic (every 1-2 days). > > Remembering back - the only suspecious file i ran on this box was the > "vmware-linux-keygen"... which might be what infected this box. > > If anyone has any idea what to do to neutralize it, please let me know > or email me at jaka.mele AT g mail... > > thanks >
