** Alert 1334437715.21196: mail - ossec,rootcheck, 2012 Apr 14 22:08:35 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '35436'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
** Alert 1334437717.21442: mail - ossec,rootcheck, 2012 Apr 14 22:08:37 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '36508'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437719.21688: mail - ossec,rootcheck, 2012 Apr 14 22:08:39 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '39060'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437721.21934: mail - ossec,rootcheck, 2012 Apr 14 22:08:41 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '39561'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437723.22180: mail - ossec,rootcheck, 2012 Apr 14 22:08:43 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '47095'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437725.22426: mail - ossec,rootcheck, 2012 Apr 14 22:08:45 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '47844'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437727.22672: mail - ossec,rootcheck, 2012 Apr 14 22:08:47 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '49738'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437729.22918: mail - ossec,rootcheck, 2012 Apr 14 22:08:49 localhost>rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '51944'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. I received 8 alerts from OSSEC claiming there is a Kernel-level rootkit or trojaned version of netstat. I have checked the machine and there is no suspicious connections now. I ran rkhunter but nothing unexpected showed up in the results. My /etc/passwd & /etc/group are the same I have never seen alerts like this before, I can't imagine anything getting installed without me knowing. And I only have access. It sounds strange but I set up MySQL replication to another server yesterday and was wondering if maybe that might of been the cause of the problem as I receive these hours after I setup MySQL replication. I have read others suggest checking md5 sum of netstat but am not quite sure how on findings. I have different results for /bin/netstat on 4 different machines, if like others are suggesting a machine that has identical software version/update history the md5 sum should match, or I misunderstanding something here. Regards
