Hi, that alert is related to a *kernel-level check* (anomaly detection checks, not *rootkit_files.txt* or *rootkit_trojans.txt*). You can see more details in the code: src/rootcheck/check_rc_pids.c. Line 256: "Check if the pid is a thread (not showing in /proc".
The code inspects all process IDs (PID), and use the getsid, getpgid, and kill system calls to find all running processes. If the PID is being used, but the ps command cannot see it, a kernel-level rootkit or a Trojan version of ps might be running. It is also compared the output of getsid, getpgid, and kill system calls looking for discrepancies. So, your process 13380 is not in /proc. Try to find it using ps -e | grep 892 Regards, Jesus Linares. On Thursday, March 24, 2016 at 2:15:00 PM UTC+1, Johnny InfoSec wrote: > > Greetings :-) > > Just got this alert, and was wondering if you could provide some specific > guidance on how to investigate (step 1, 2, etc.). > > New to OSSEC. > > OSSEC HIDS Notification. > > 2016 Mar 24 7:49:39 > > > > Received From: log->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > > Portion of the log(s): > > > > Process '13380' hidden from /proc. Possible kernel level rootkit. > > > > > > > > --END OF NOTIFICATION > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
