Hi Peter, If you are running Linux, it can very well be a false positive caused by a weird behavior of the Linux kernel (and a broken application binding but not listening to the socket). Take a look at the following blog entry:
http://www.ossec.net/dcid/?p=87 http://www.ossec.net/ossec-list/2007-August/msg00154.html Is anyone interested in adding this information to the wiki faq? More and more people are having similar issues lately... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/6/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Steve: > > I finally got around to installing the latest nmap and checking nmap. > > PORT STATE SERVICE VERSION > 21/tcp open ftp ProFTPD 1.3.0a > 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 2.0) > 25/tcp open smtp qmail smtpd > 53/tcp open domain > 80/tcp open http Apache httpd > 110/tcp open pop3 qmail pop3d > 143/tcp open imap Courier Imapd (released 2005) > 443/tcp open http Apache httpd > 587/tcp open smtp qmail smtpd > 953/tcp open rndc? > 3306/tcp open mysql MySQL 5.0.45-community-log > 5001/tcp open apc-agent APC PowerChute agent > 5432/tcp open postgresql PostgreSQL DB > 8009/tcp open ajp13? > 8080/tcp open http Apache httpd > 8443/tcp open http Apache httpd > > Yet, ossec-rootcheck shows > > [FAILED]: Port '40773'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > Thank you. > >
