a reaaaally long time ago i asked the same question about "hacked netstat"
Daniel told me that it can happen on systems with lots of connections because ossec compares the output of netstat with the actual socket count, so, if in the time between that ossecs takes the number from netstat and from the kernel theres a connection or disconnection, ossec will have diff numbers, then, hacked netstat. This was around an year - year & 1/2 ago, i cant find the email now. cheers! On Aug 3, 2009, at 10:51 AM, Michael Starks wrote: > > > Try taking the suspect version of netstat over to a machine running > a live > cd and compare the hash with a known good version. Keep in mind that > the > version could legitimately be different from release if an update > has been > made. > > On Mon, 3 Aug 2009 02:29:41 -0700 (PDT), jack <[email protected]> > wrote: >> Update on subject... What i did since last email: >> >> -disabled prelinker (removed it from cron.daily) >> -mounted centos 5.3 live cd as read only and copied netstat and some >> other binaries over existing ones >> -started auditing on netstat and other binaries... >> >> But today again ossec reported rootkit detection hidden tcp: >> >> ----- >> 2009 Aug 03 06:32:28 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '58536'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> >> 2009 Aug 03 06:32:25 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '51156'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> >> 2009 Aug 03 06:32:23 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '47873'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> --- >> >> Ausearch -f /bin/netstat shows activity at these hours, but i cant >> get >> any useful information out of it: >> >> ------------ >> log here: http://www.filedropper.com/audit-netstat >> ------------ >> >> I read most of ossec archive's mails on subject, but i am afraid that >> this is not false-positive, as it is periodic (every 1-2 days). >> >> Remembering back - the only suspecious file i ran on this box was the >> "vmware-linux-keygen"... which might be what infected this box. >> >> If anyone has any idea what to do to neutralize it, please let me >> know >> or email me at jaka.mele AT g mail... >> >> thanks
