Dan Denton wrote: > Hello all. Yesterday I had an RHEL4 server running the OSSEC agent (2.2) > that was experiencing (seemingly) spontaneously high load. I was able to > track it down to a series of nestat and grep commands, part of the > following:
> sh -c netstat -an | grep "^tcp" | grep "[^0-9]52128 " > The command was being run repeatedly and the port number either > incrementing or seemingly random. Thinking that this might be the > rootkit checker component of OSSEC, I shut down the agent and the > commands stopped. Can anyone confirm if this command is used by OSSEC to > detect open ports, and suggest why, when the agent has been running for > a month without issue why this would happen so suddenly? Hello Dan, Yes, a quick grep of the source confirms this. It is in src/rootcheck/check_rc_ports.c. Daniel has spoken of making rootcheck a bit more CPU friendly, so I think this is "expected" behavior currently. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
