From owner-freebsd-security@FreeBSD.ORG Mon Sep 22 09:10:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C60F8B11 for ; Mon, 22 Sep 2014 09:10:30 +0000 (UTC) Received: from mail-lb0-x242.google.com (mail-lb0-x242.google.com [IPv6:2a00:1450:4010:c04::242]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FD346EE for ; Mon, 22 Sep 2014 09:10:30 +0000 (UTC) Received: by mail-lb0-f194.google.com with SMTP id b12so2138105lbj.9 for ; Mon, 22 Sep 2014 02:10:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=wq2JVwmUGQJRZhlcgWa/FtABdUKIxezUbm/rgUHb5Ds=; b=N0Xi0SettPN7eAvaOn/Ss0ahAWWM3bC4vuRvVSDO42bjfEE9ZoFoALjf13rpVGEiLO AMuTZKZFbERhFdANyFZEW1YzEef9NKcrfcT13sKuKDq1qEAVA5JIfJLvabTaWe3g6T3g p+hX283oEgaFYCgoIfM1ir/SX9W9Y2C3Jg2bBa4LJ03s9tiIQIWgVKB+d8xXljK7K5JQ H8Jk7dUfUz5UijNaVEMFK71HbVUmzBi71luW3CQpKQ/GN/Qx9XZ3iypj0nQsBSqPRW2/ 5Q23rLGROCNCoadqClWSfgXTimq0ezbEPlaNtot5jC3KNtOXMrQ5CWCfjany9eGrlzcF hxiA== X-Received: by 10.112.130.68 with SMTP id oc4mr22697722lbb.41.1411377028119; Mon, 22 Sep 2014 02:10:28 -0700 (PDT) Received: from [10.0.0.9] (ti0064a400-0514.bb.online.no. [85.166.237.6]) by mx.google.com with ESMTPSA id ug7sm3530448lac.48.2014.09.22.02.10.27 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Sep 2014 02:10:27 -0700 (PDT) Message-ID: <541FE781.2080505@gmail.com> Date: Mon, 22 Sep 2014 11:10:25 +0200 From: List Monkey User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ossec hit: Hidden process (rootkit) Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2014 09:10:30 -0000 I'm running freebsd as an vm. I recently got a hit from the ossec agent: OSSEC HIDS Notification. 2014 Aug 28 03:01:34 Received From: (host) xxx.xxx.xxx.xxx->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible kernel-level rootkit. It took a couple of days for me to respond to the alert but I could not find the process. Is there any reason this could be explained because freebsd is running as a vm? Any other thoughts? __ Arne