Hi David, In addition to what you mentioned, if you are using Linux, it can also be caused by a bug in an application that is binding to a TCP port, but not listening on it. For some weird reason, Linux does not report these ports on netstat...
More info here: http://www.ossec.net/dcid/?p=87 *Linux is the only OS that reports this incorrectly (even Windows does this right :/)... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/27/07, David Williams <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In my previous life, we had several busy servers and they would > often alert like this because of temporary port usage. I believed > the alert was because OSSEC tried to bind to a port, could not then > ran netstat and did not see the port in use. So I scripted up a > little perl script to try to bind to the ports reported by OSSEC. > My theory was: if I could bind to them then nothing trojaned was > listening on them. And netstat would not show them as used since > the connection that used them was ephemeral. I'm afraid I don't > have the perl script handy anymore -- but it was not too hard to > cook up. > I guess the question is, does OSSEC report that the same ports are > "hidden" over time or are they different ports? If the same ports, > and netstat is not showing them as in use, and you can't bind to > them because something is bound to them, that seems bad. If the > "hidden" ports change over time, it seems more likely to me that the > server is busy and OSSEC can't bind to the port but when it comes > back to see if netstat shows it in use, it's free again. > Just another couple of cents worth.... > -David > > Jeff Schroeder wrote: > > On Aug 27, 11:11 am, "Peter M. Abraham" <[EMAIL PROTECTED]> > > wrote: > >> Greetings: > >> > >> I replaced the netstat on the server (actually updated net-tools which > >> was out dated), > >> > >> rpm -V net-tools-1.60-37.EL4.9 > >> > >> Provides no output for which I understand means the package verified > >> ok. > > > > You realize that even though the netstat package is ok, that your c > > library, or worse, > > your kernel could have been patched with a rootkitted version, right? > > If the box has been > > compromised with an advanced rootkit, it might also patch the rpm > > command. Your best bet > > would be to bring the system down, boot it up with a live cd, and > > check the md5sums > > of said binaries. Perhaps running something like chkrootkit or > > rkhunter also. > > > > Just a few thoughts that might or might not help. > > > > - -- > _______________________________________________ > GPG (http://www.gnupg.org/) key available from: > http://www.kayakero.net/per/david/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFG02wICzuSgviBh00RApl6AKCoHcuqOzKiz4hiV6wbRCDpabxkSQCePFfR > +eZB4K095rUHcapQyPWHxfo= > =5VWM > -----END PGP SIGNATURE----- >
