I just disabled cups on my server (no printer, no need to print) and
OSSEC reported
Port '631'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat
A quick check of netstat shows
$ sudo netstat -anp |grep 631
udp 0 0 0.0.0.0:631 0.0.0.0:*
1125/portreserve
And Googling tells me that portreserve is there to make sure that if I
were to start cups later, the necessary port would be available.
Should OSSEC be modified to be aware of ports held by portreserve?
System is CentOS 6.2.
--
-- Steve
