Hi all, thanks for great replies! I am currently running netstat i copied from livecd. After one day its md5sum still matches original's and is the same as few of you listed here. thanks.
Also thanks Daniel for last reply - since my server is not really busy i was afraid that reason for these alerts is not "lots of connections", but now if bind is on list i am more positive... I do have bind running and it is for some 100 domains... Here is the list of active services: [r...@sytech ~]# chkconfig --list | grep 5:on acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off dhcpd 0:off 1:off 2:off 3:off 4:off 5:on 6:off dovecot 0:off 1:off 2:off 3:off 4:off 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off httpd 0:off 1:off 2:off 3:off 4:off 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off lm_sensors 0:off 1:off 2:on 3:on 4:on 5:on 6:off mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off milter-greylist 0:off 1:off 2:off 3:off 4:off 5:on 6:off mysqld 0:off 1:off 2:off 3:off 4:off 5:on 6:off named 0:off 1:off 2:off 3:off 4:off 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off ntpd 0:off 1:off 2:off 3:off 4:off 5:on 6:off ossec 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off readahead_later 0:off 1:off 2:off 3:off 4:off 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:on 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off smb 0:off 1:off 2:off 3:off 4:off 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off vsftpd 0:off 1:off 2:off 3:off 4:off 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off Also i disabled vmware at the moment, since I was (hoping) this might be the cause of false positives... Daniel: is there a way to tell ossec to do any command, like: $ fuser -n tcp $port or $ lsof -i tcp:$port if it detects these hidden ports? I was also thinking to create a script, that would scan all open ports (netstat) every second and do these two commands on them (if higher that 35000) and log this... If i understand correctly this should help to resolve this mistery, and... point to bind? Can anyone help me with such a script, as I am more of a rookie bash programmer :) - but first - is it even viable to do it? thanks, Jaka
