Try taking the suspect version of netstat over to a machine running a live cd and compare the hash with a known good version. Keep in mind that the version could legitimately be different from release if an update has been made.
On Mon, 3 Aug 2009 02:29:41 -0700 (PDT), jack <[email protected]> wrote: > Update on subject... What i did since last email: > > -disabled prelinker (removed it from cron.daily) > -mounted centos 5.3 live cd as read only and copied netstat and some > other binaries over existing ones > -started auditing on netstat and other binaries... > > But today again ossec reported rootkit detection hidden tcp: > > ----- > 2009 Aug 03 06:32:28 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '58536'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > 2009 Aug 03 06:32:25 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '51156'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > 2009 Aug 03 06:32:23 Rule Id: 510 level: 7 > Location: sytech->rootcheck > Host-based anomaly detection event (rootcheck). > Port '47873'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > --- > > Ausearch -f /bin/netstat shows activity at these hours, but i cant get > any useful information out of it: > > ------------ > log here: http://www.filedropper.com/audit-netstat > ------------ > > I read most of ossec archive's mails on subject, but i am afraid that > this is not false-positive, as it is periodic (every 1-2 days). > > Remembering back - the only suspecious file i ran on this box was the > "vmware-linux-keygen"... which might be what infected this box. > > If anyone has any idea what to do to neutralize it, please let me know > or email me at jaka.mele AT g mail... > > thanks
