Hello everyone, Ive runnning into a problem with a number of rootcheck alerts lately that I have not been able to verify nor mark as false-positive. Im wondering if anyone else has run into this before and/or might be able to give me some tips of what else I can do to determine if this is a problem or not. Ive been running ossec in our environment for a year and a half now, and have run into a rootcheck alert behavior on one of my systems over the last week I have not seen before on any of my systems. I have seen rootcheck alerts reporting that a port is hidden and that there many be a kernel-level rootkit or trojaned version of netstat. from reading on this list, when its a high-end port (over 40000 or so) its typically a false positive, and will seen often on systems with a lot of outbound activity. When rootcheck checks what ports are open in /proc and netstat, an outgoing port could be closed between the two checks creating the false positive. the systems i have seen this behavior have fit this profile. On the system in question, we upgraded the ossec-agent from 1.6 to 2.1.1. the agent has been running on the system for a year with no rootcheck alerts, and started reporting a number of hidden reports in the rootchecks since the upgrade. I think the timing is pure concidence as over a hundred other system have had their agents also upgraded over the last few months and ther other other systems running the same kernel and os (FC3) as this without the same behavior. What also stands out is that most of the ports being deemed as "hidden" are known ports and running on the system. Because of this and the fact that this has been happening daily (as opposed to just a day with false-positives in the past), ive been trying to figure out if this is a true problem or a false positive. here is what I have done so far. 1. ive verified only one netstat running on the system. its been monitored by ossec since the agent was installed on the system a year ago and the file has been unchanged. 2. ive compared the kernel modules (ls and checksums of *.ko files in /lib) in this system and a like system and there is no difference. 3. ive run lsof and netstat commands and was able to recreate the problem with only two of the ports and not all 19 as rootcheck has been able to do daily. Any suggestions? results of rootcheck_control -i <id>: Policy and auditing events for agent <snip> Resolved events: 2009 Oct 04 01:03:41 (first time detected: 2009 Oct 01 16:43:35) System Audit: Port '44695'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 04 01:03:46 (first time detected: 2009 Oct 01 16:43:39) System Audit: Port '58464'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. Outstanding events: 2009 Oct 06 01:05:06 (first time detected: 2009 Oct 01 16:43:12) System Audit: Port '21'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:09 (first time detected: 2009 Oct 01 16:43:12) System Audit: Port '25'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:11 (first time detected: 2009 Oct 01 16:43:15) System Audit: Port '111'(tcp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:13 (first time detected: 2009 Oct 01 16:43:16) System Audit: Port '199'(tcp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:15 (first time detected: 2009 Oct 01 16:43:19) System Audit: Port '514'(tcp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:17 (first time detected: 2009 Oct 01 16:43:21) System Audit: Port '661'(tcp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:19 (first time detected: 2009 Oct 01 16:43:22) System Audit: Port '707'(tcp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:21 (first time detected: 2009 Oct 01 16:43:25) System Audit: Port '2049'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:23 (first time detected: 2009 Oct 01 16:43:27) System Audit: Port '5308'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:25 (first time detected: 2009 Oct 01 16:43:29) System Audit: Port '5335'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:28 (first time detected: 2009 Oct 01 16:43:33) System Audit: Port '32769'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:34 (first time detected: 2009 Oct 01 16:43:37) System Audit: Port '55554'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:36 (first time detected: 2009 Oct 01 16:43:40) System Audit: Port '63210'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:40 (first time detected: 2009 Oct 01 16:43:45) System Audit: Port '111'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:43 (first time detected: 2009 Oct 01 16:43:46) System Audit: Port '123'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:45 (first time detected: 2009 Oct 01 16:43:50) System Audit: Port '161'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:47 (first time detected: 2009 Oct 01 16:43:51) System Audit: Port '162'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:47 (first time detected: 2009 Oct 01 16:43:51) System Audit: Excessive number of 'udp' ports hidden. It maybe a false-positive or something really bad is going on. 2009 Oct 06 01:05:04 (first time detected: 2009 Oct 02 01:06:38) System Audit: Port '13'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:38 (first time detected: 2009 Oct 02 01:07:12) System Audit: Port '13'(udp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 05 01:04:50 (first time detected: 2009 Oct 05 01:04:50) System Audit: Port '658'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 05 01:04:52 (first time detected: 2009 Oct 05 01:04:52) System Audit: Port '704'(udp) hidden. Kernel-level rootkit or trojaned version o f netstat. 2009 Oct 06 01:05:30 (first time detected: 2009 Oct 06 01:05:30) System Audit: Port '36487'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. 2009 Oct 06 01:05:32 (first time detected: 2009 Oct 06 01:05:32) System Audit: Port '42804'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
