Hello all. Yesterday I had an RHEL4 server running the OSSEC agent (2.2) that was experiencing (seemingly) spontaneously high load. I was able to track it down to a series of nestat and grep commands, part of the following:
sh -c netstat -an | grep "^tcp" | grep "[^0-9]52128 " The command was being run repeatedly and the port number either incrementing or seemingly random. Thinking that this might be the rootkit checker component of OSSEC, I shut down the agent and the commands stopped. Can anyone confirm if this command is used by OSSEC to detect open ports, and suggest why, when the agent has been running for a month without issue why this would happen so suddenly? Any input would be greatly appreciated. Thanks, Dan
