Here's an MD5 from my fully up-to-date Centos 5.3 version of netstat (which I cannot conclusively say is safe, but which rootcheck does not alert on):
69f1c15fde35cda879f00c2fcb62041d /bin/netstat On Mon, 3 Aug 2009 07:32:33 -0500, "[email protected]" <[email protected]> wrote: > I've seen this false before, many times, especially on Debian systems. > Here are some MD5/SHA1 sums from Centos 5.3, 32bit, for a clean > executable. If yours match then it's a false positive. This system is > not pre-linked. > > net-tools 1.60 > netstat 1.42 (2001-04-15) > Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang > and others > +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N > AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE > HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE > +ASH +SIT +FDDI +HIPPI +HDLC/LAPB > > md5: 73d1631326c37fc944fc205e494aa12b */bin/netstat > sha1: 4ab0e42277674c7a2ec5cab854a5b0c9daa2deb5 /bin/netstat > > > > jack wrote: >> Update on subject... What i did since last email: >> >> -disabled prelinker (removed it from cron.daily) >> -mounted centos 5.3 live cd as read only and copied netstat and some >> other binaries over existing ones >> -started auditing on netstat and other binaries... >> >> But today again ossec reported rootkit detection hidden tcp: >> >> ----- >> 2009 Aug 03 06:32:28 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '58536'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> >> 2009 Aug 03 06:32:25 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '51156'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> >> 2009 Aug 03 06:32:23 Rule Id: 510 level: 7 >> Location: sytech->rootcheck >> Host-based anomaly detection event (rootcheck). >> Port '47873'(tcp) hidden. Kernel-level rootkit or trojaned version of >> netstat. >> --- >> >> Ausearch -f /bin/netstat shows activity at these hours, but i cant get >> any useful information out of it: >> >> ------------ >> log here: http://www.filedropper.com/audit-netstat >> ------------ >> >> I read most of ossec archive's mails on subject, but i am afraid that >> this is not false-positive, as it is periodic (every 1-2 days). >> >> Remembering back - the only suspecious file i ran on this box was the >> "vmware-linux-keygen"... which might be what infected this box. >> >> If anyone has any idea what to do to neutralize it, please let me know >> or email me at jaka.mele AT g mail... >> >> thanks >>
