Date: Fri, 26 Sep 2014 10:21:29 +0300 From: Bw <bw.mail.lists@gmail.com> To: List Monkey <listmonkey1@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: ossec hit: Hidden process (rootkit) Message-ID: <39A16A80-547B-4AAA-AC5E-E5FBB371332B@gmail.com> In-Reply-To: <CAJm423_CG0QLpR9Z=U3Sw6nhwQ8rewL8Sqad-XdxLSCmKAC8KA@mail.gmail.com> References: <541FE781.2080505@gmail.com> <CAJm4238JxvYicm6qy8kHVAA57Su-rGokt2Ua7RTC-yxUDYqpXQ@mail.gmail.com> <542142BC.2000409@gmail.com> <CAJm423_CG0QLpR9Z=U3Sw6nhwQ8rewL8Sqad-XdxLSCmKAC8KA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 September 2014 20:33:54 EEST, Brandon Vincent <Brandon.Vincent@asu.edu> wrote: >On Tue, Sep 23, 2014 at 2:51 AM, List Monkey <listmonkey1@gmail.com> >wrote: >> The ossec-rootcheck is not present on my install (has it been >deprecated?) >> I am able to use the agent-control to force a complete run. It runs >> without error. > >Without more information, I would have to say it is likely a false >positive. A binary is probably not returning the value OSSEC is >expecting in regards to the system calls getsid() and kill() and the >output of ps. This is common with less popular operating systems since >the majority of individuals who use OSSEC run it on GNU/Linux. I know >this has happened with OSSEC + IBM AIX on occasion. Just to confirm that I got that several times before, too. Figured the process has gone away between checks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39A16A80-547B-4AAA-AC5E-E5FBB371332B>