Due to recent security concerns on our WAN I have installed and started utilizing a variety of NIDS software. One of these packages is OSSEC; I have it running in an 'agent' configuration on a few of our SRSS servers until such a point that I have the rulesets set up well and I am able to add agents to all of our SRSS servers.
There is one security alert in particular that is giving me the chills... Several of our SRSS servers are complaining about a possible rootkit and/or trojaned version of 'netstat' because of a hidden port in the lower 40,000s. For example, on one of our servers the port that is hidden is 40,322, and on another one I'm getting the same message about 40,150. Personally, I am starting to think that these servers have been compromised. With the other issues that we've had in the past couple of weeks, it's definitely not an outlandish assumption. However I figured that I would ask here first. The only thing that is different between our SRSS servers and other machines that I have the agent on (which are not giving this alert) is the SunRay server packages and related configuration itself. Is there any part of the SunRay services that would be utilizing these ports and/or 'hiding' them? For a little more added information, here is how OSSEC is determining that these ports are hidden: The way we detect hidden ports is the following: 1- Try to bind to every port in the system (tcp and udp). 2- If bind fails (port is being used), we run netstat to see if it showing in there. 3- If it is not showing on netstat, we attempt to bind the port again. 4- If we are able to bind again, we try netstat the last time. 5- If netstat does not show the port, we consider it hidden. So, false positives can happen if you have a very busy system, opening and closing ports very fast (or using some form of system virtualization). TIA for help in tracking this down. -- ---------- Damon Getsman -=-=-=- ITRx http://www.itrx-nd.com/ Programmer/IT Customer Relations/Sys Admin -=-=-=- _______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
