-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In my previous life, we had several busy servers and they would
often alert like this because of temporary port usage. I believed
the alert was because OSSEC tried to bind to a port, could not then
ran netstat and did not see the port in use. So I scripted up a
little perl script to try to bind to the ports reported by OSSEC.
My theory was: if I could bind to them then nothing trojaned was
listening on them. And netstat would not show them as used since
the connection that used them was ephemeral. I'm afraid I don't
have the perl script handy anymore -- but it was not too hard to
cook up.
I guess the question is, does OSSEC report that the same ports are
"hidden" over time or are they different ports? If the same ports,
and netstat is not showing them as in use, and you can't bind to
them because something is bound to them, that seems bad. If the
"hidden" ports change over time, it seems more likely to me that the
server is busy and OSSEC can't bind to the port but when it comes
back to see if netstat shows it in use, it's free again.
Just another couple of cents worth....
-David
Jeff Schroeder wrote:
> On Aug 27, 11:11 am, "Peter M. Abraham" <[EMAIL PROTECTED]>
> wrote:
>> Greetings:
>>
>> I replaced the netstat on the server (actually updated net-tools which
>> was out dated),
>>
>> rpm -V net-tools-1.60-37.EL4.9
>>
>> Provides no output for which I understand means the package verified
>> ok.
>
> You realize that even though the netstat package is ok, that your c
> library, or worse,
> your kernel could have been patched with a rootkitted version, right?
> If the box has been
> compromised with an advanced rootkit, it might also patch the rpm
> command. Your best bet
> would be to bring the system down, boot it up with a live cd, and
> check the md5sums
> of said binaries. Perhaps running something like chkrootkit or
> rkhunter also.
>
> Just a few thoughts that might or might not help.
>
- --
_______________________________________________
GPG (http://www.gnupg.org/) key available from:
http://www.kayakero.net/per/david/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFG02wICzuSgviBh00RApl6AKCoHcuqOzKiz4hiV6wbRCDpabxkSQCePFfR
+eZB4K095rUHcapQyPWHxfo=
=5VWM
-----END PGP SIGNATURE-----
