[ossec-list] 'Host-based anomaly detection event (rootcheck).'
** Alert 1334437715.21196: mail - ossec,rootcheck, 2012 Apr 14 22:08:35 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '35436'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437717.21442: mail - ossec,rootcheck, 2012 Apr 14 22:08:37 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '36508'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437719.21688: mail - ossec,rootcheck, 2012 Apr 14 22:08:39 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '39060'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437721.21934: mail - ossec,rootcheck, 2012 Apr 14 22:08:41 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '39561'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437723.22180: mail - ossec,rootcheck, 2012 Apr 14 22:08:43 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '47095'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437725.22426: mail - ossec,rootcheck, 2012 Apr 14 22:08:45 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '47844'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437727.22672: mail - ossec,rootcheck, 2012 Apr 14 22:08:47 localhost->rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '49738'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. ** Alert 1334437729.22918: mail - ossec,rootcheck, 2012 Apr 14 22:08:49 localhost>rootcheck Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' Port '51944'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat. I received 8 alerts from OSSEC claiming there is a Kernel-level rootkit or trojaned version of netstat. I have checked the machine and there is no suspicious connections now. I ran rkhunter but nothing unexpected showed up in the results. My /etc/passwd & /etc/group are the same I have never seen alerts like this before, I can't imagine anything getting installed without me knowing. And I only have access. It sounds strange but I set up MySQL replication to another server yesterday and was wondering if maybe that might of been the cause of the problem as I receive these hours after I setup MySQL replication. I have read others suggest checking md5 sum of netstat but am not quite sure how on findings. I have different results for /bin/netstat on 4 different machines, if like others are suggesting a machine that has identical software version/update history the md5 sum should match, or I misunderstanding something here. Regards
[ossec-list] Host-based anomaly detection event (rootcheck)
Hi, I have a new server with openSuse 11.1 preinstalled. After installed ossec I received two messages below. How can I verify if those are "false positives" or not? Received From: openSUSE-111-64-minimal->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Trojaned version of file '/bin/pidof' detected. Signature used: 'bash| ^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh' (Generic). Received From: openSUSE-111-64-minimal->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): File '/var/lib/smartmontools/smartd.SAMSUNG_HD753LJ- S13UJ9AS300024.ata.state' is owned by root and has written permissions to anyone. For the first one, as suggested in other messages here, I executed the: strings /bin/pidof | grep -E 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/ bin/.*sh' command and the result is: /dev/fuse Thanks!
[ossec-list] Host-based anomaly detection event (rootcheck)
I use dokku in a Ubuntu 18.04 LTS machine. I received the following alerts concerning files hidden in a long list of directories: Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man' . Link count does not match number of files (26,1). Then again: Files hidden inside directory '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg' . Link count does not match number of files (2,1). And so on for a list of 104 directories, like '/var/lib/docker/overlay2/c3ee 7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' or '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd3 5a6d1c9871daae8c53054c05408516/merged/usr/bin' etc etc How am I expected to interpret these alerts? What am I expected to do? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com.
Re: [ossec-list] 'Host-based anomaly detection event (rootcheck).'
It could definitely be a false positive, especially if the mysql replication thing is creating short lived connections. Checking the md5 of netstat is definitely something you should do. If you're using Linux you may have to turn off prelinking for it to work properly though. On Sun, Apr 15, 2012 at 7:15 AM, culley wrote: > ** Alert 1334437715.21196: mail - ossec,rootcheck, > 2012 Apr 14 22:08:35 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '35436'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437717.21442: mail - ossec,rootcheck, > 2012 Apr 14 22:08:37 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '36508'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437719.21688: mail - ossec,rootcheck, > 2012 Apr 14 22:08:39 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '39060'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437721.21934: mail - ossec,rootcheck, > 2012 Apr 14 22:08:41 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '39561'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437723.22180: mail - ossec,rootcheck, > 2012 Apr 14 22:08:43 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '47095'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437725.22426: mail - ossec,rootcheck, > 2012 Apr 14 22:08:45 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '47844'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437727.22672: mail - ossec,rootcheck, > 2012 Apr 14 22:08:47 localhost->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '49738'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > ** Alert 1334437729.22918: mail - ossec,rootcheck, > 2012 Apr 14 22:08:49 localhost>rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event > (rootcheck).' > Port '51944'(tcp) hidden. Kernel-level rootkit or trojaned version of > netstat. > > I received 8 alerts from OSSEC claiming there is a Kernel-level > rootkit or trojaned version of netstat. > > I have checked the machine and there is no suspicious connections now. > I ran rkhunter but nothing unexpected showed up in the results. > > My /etc/passwd & /etc/group are the same > > I have never seen alerts like this before, I can't imagine anything > getting installed without me knowing. And I only have access. > > It sounds strange but I set up MySQL replication to another server > yesterday and was wondering if maybe that might of been the cause of > the problem as I receive these hours after I setup MySQL replication. > > I have read others suggest checking md5 sum of netstat but am not > quite sure how on findings. > > I have different results for /bin/netstat on 4 different machines, if > like others are suggesting a machine that has identical software > version/update history the md5 sum should match, or I misunderstanding > something here. > > Regards
Re: [ossec-list] Host-based anomaly detection event (rootcheck)
On Mon, Mar 16, 2020 at 12:33 PM llehirgen wrote: > > I use dokku in a Ubuntu 18.04 LTS machine. > I received the following alerts concerning files hidden in a long list of > directories: > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > Portion of the log(s): > > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/man'. > Link count does not match number of files (26,1). > > Then again: > Files hidden inside directory > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/share/dpkg'. > Link count does not match number of files (2,1). > > And so on for a list of 104 directories, like > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/sbin' > or > '/var/lib/docker/overlay2/c3ee7713915112e9bd1df6d423cc6e2dd35a6d1c9871daae8c53054c05408516/merged/usr/bin' > etc etc > > How am I expected to interpret these alerts? What am I expected to do? > rootcheck doesn't understand overlay filesystem stuff yet. There is at least 1 issue open on the topic (at https://github.com/ossec/ossec-hids/issues). > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ossec-list/4a32402e-71c6-4b0c-92bb-3007b742ac19%40googlegroups.com. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/CAMyQvMqGhsDC3cgscHgSsvRG%2BmmmcEzSuehzuROJbcmHOuLy2Q%40mail.gmail.com.
