On Tue, 6 Oct 2009 12:40:39 -0700 (PDT), Chad Glynn <[email protected]> wrote: > Ive been running ossec in our environment for a year and a half > now, and have run into a rootcheck alert behavior on one of my systems over > the last week I have not seen before on any of my systems.
What changed in the environment that you know of? Were any new applications installed? > 1. ive verified only one netstat running on the system. its been monitored > by ossec since the agent was installed on the system a year ago and the > file has been unchanged. > 2. ive compared the kernel modules (ls and checksums of *.ko files in > /lib) in this system and a like system and there is no difference. > 3. ive run lsof and netstat commands and was able to recreate the problem > with only two of the ports and not all 19 as rootcheck has been able to do > daily. If the system truly is rooted, all of those steps may be for naught. How do you know the tools you're using to do the verification haven't been modified? How do you know the kernel is telling you the truth? I would take the system offline immediately, take a forensically sound image and examine the checksums from a known-good system. While it's down, it also wouldn't be a bad idea to run chkrootkit and/or rootkit hunter from a live CD. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty
