It could definitely be a false positive, especially if the mysql replication thing is creating short lived connections.
Checking the md5 of netstat is definitely something you should do. If you're using Linux you may have to turn off prelinking for it to work properly though. On Sun, Apr 15, 2012 at 7:15 AM, culley <[email protected]> wrote: > ** Alert 1334437715.21196: mail - ossec,rootcheck, > 2012 Apr 14 22:08:35 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '35436'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437717.21442: mail - ossec,rootcheck, > 2012 Apr 14 22:08:37 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '36508'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437719.21688: mail - ossec,rootcheck, > 2012 Apr 14 22:08:39 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '39060'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437721.21934: mail - ossec,rootcheck, > 2012 Apr 14 22:08:41 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '39561'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437723.22180: mail - ossec,rootcheck, > 2012 Apr 14 22:08:43 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '47095'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437725.22426: mail - ossec,rootcheck, > 2012 Apr 14 22:08:45 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '47844'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437727.22672: mail - ossec,rootcheck, > 2012 Apr 14 22:08:47 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '49738'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437729.22918: mail - ossec,rootcheck, > 2012 Apr 14 22:08:49 localhost>rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '51944'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > I received 8 alerts from OSSEC claiming there is a Kernel-level > rootkit or trojaned version of netstat. > > I have checked the machine and there is no suspicious connections now. > I ran rkhunter but nothing unexpected showed up in the results. > > My /etc/passwd & /etc/group are the same > > I have never seen alerts like this before, I can't imagine anything > getting installed without me knowing. And I only have access. > > It sounds strange but I set up MySQL replication to another server > yesterday and was wondering if maybe that might of been the cause of > the problem as I receive these hours after I setup MySQL replication. > > I have read others suggest checking md5 sum of netstat but am not > quite sure how on findings. > > I have different results for /bin/netstat on 4 different machines, if > like others are suggesting a machine that has identical software > version/update history the md5 sum should match, or I misunderstanding > something here. > > Regards
