I had this same thing happen when one of my jboss servers went a little crazy and started opening all sorts of ports to my oracle server. Try a netstat -napt to see whats listening on the various ports on the server and what connections are established to the server.
Jason Little Network Administrator Mint Inc -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Cid Sent: Sunday, September 09, 2007 8:54 PM To: [email protected] Subject: [ossec-list] Re: ossec-rootcheck found hidden ports -- how can I verify if this is a false positive or not? Hi Peter, If you are running Linux, it can very well be a false positive caused by a weird behavior of the Linux kernel (and a broken application binding but not listening to the socket). Take a look at the following blog entry: http://www.ossec.net/dcid/?p=87 http://www.ossec.net/ossec-list/2007-August/msg00154.html Is anyone interested in adding this information to the wiki faq? More and more people are having similar issues lately... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/6/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings Steve: > > I finally got around to installing the latest nmap and checking nmap. > > PORT STATE SERVICE VERSION > 21/tcp open ftp ProFTPD 1.3.0a > 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 2.0) > 25/tcp open smtp qmail smtpd > 53/tcp open domain > 80/tcp open http Apache httpd > 110/tcp open pop3 qmail pop3d > 143/tcp open imap Courier Imapd (released 2005) > 443/tcp open http Apache httpd > 587/tcp open smtp qmail smtpd > 953/tcp open rndc? > 3306/tcp open mysql MySQL 5.0.45-community-log > 5001/tcp open apc-agent APC PowerChute agent 5432/tcp open > postgresql PostgreSQL DB 8009/tcp open ajp13? > 8080/tcp open http Apache httpd > 8443/tcp open http Apache httpd > > Yet, ossec-rootcheck shows > > [FAILED]: Port '40773'(tcp) hidden. Kernel-level rootkit or trojaned > version of netstat. > > Thank you. > >
