Does the server spawn a very large number of new processes? Such as a large mail server, an apache server with lots of cgi scripts, or a build server? The reason I ask is due to how this rootcheck alert works there is a possible race condition between when it checks the output from netstat and the proc filesystem.
Sent from my iPhone On Oct 13, 2010, at 7:41 AM, Bob Sauvage <[email protected]> wrote: > > > Hello *, > > I often receive alerts like these : > > -------------------------------------------------------------------------------- > OSSEC HIDS Notification. > 2010 Oct 13 13:19:26 > > Received From: (xxx) xx.xx.xxx.xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Process '32242' hidden from /proc. Possible kernel level rootkit. > > > > --END OF NOTIFICATION > > -------------------------------------------------------------------------------- > OSSEC HIDS Notification. > 2010 Oct 05 16:50:03 > > Received From: (xxx) xx.xx.xxx.xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Port '43546'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. > > > > --END OF NOTIFICATION > -------------------------------------------------------------------------------- > > Is it a false positive ? > > I checked my version of netstat and it seems do not have any problem... > But for the first alert, how can I check ? > > Someone can reassure me ;) ? > > > > > > > >
