Hi Peter, this typically means that Ossec has been able to connect to a port that 'netstat' does not show as open. Some posters in the past have noted that certain applications may open+close ports quickly enough that they are open when ossec connects, but closed when it does its netstat run.
Which tools you use to troubleshoot this depends on what platform you are running, I guess this is probably unix? You'll want to check open ports with a known uncompromised tool, a binary from a CD or a download, to see if they list things differently from the copy of netstat that is on the system. Also try suggestions from previous posters's threads, here is a search of the Mailinglist archives: http://marc.info/?l=ossec-list&w=2&r=1&s=port+hidden&q=b Rick > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On > Behalf Of Peter M. Abraham > Sent: Monday, August 27, 2007 9:47 AM > To: ossec-list > Subject: [ossec-list] ossec-rootcheck found hidden ports -- how can I > verifyif this is a false positive or not? > Importance: Low > > > Greetings: > > I ran ossec-rootcheck manually on a server, and it found the > following: > > [FAILED]: Port '32836'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > [FAILED]: Port '32887'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > [FAILED]: Port '32888'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > [FAILED]: Port '32889'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > [FAILED]: Port '33430'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > How can I verify if this is a false positive or not? > > Thank you.
