From owner-freebsd-security@FreeBSD.ORG  Tue Sep 23 17:33:57 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 603B430C
 for <freebsd-security@freebsd.org>; Tue, 23 Sep 2014 17:33:57 +0000 (UTC)
Received: from mail-qc0-f172.google.com (mail-qc0-f172.google.com
 [209.85.216.172])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 20D7FDA6
 for <freebsd-security@freebsd.org>; Tue, 23 Sep 2014 17:33:56 +0000 (UTC)
Received: by mail-qc0-f172.google.com with SMTP id c9so2108422qcz.17
 for <freebsd-security@freebsd.org>; Tue, 23 Sep 2014 10:33:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=g1eCnwLnxuZwbPh5M9qp0o7b2AM7iERAzUzyoOGpS+c=;
 b=LtHrzCgAVTMGTmqp1xUIaTOCAwnrc2A7mNjbvRp0QfIUKYia3UWH6QlObBps1WHR0C
 rWASNNerINihDd4rzVqCnsjbQIfZ0keN5RjgQYwYPANJjiO3Pk7344bvqcWWq6888/te
 ZSCVGOrURRh3FPS2/rt9LjvCXpklxpecEJUfRHkQ5X6MUcgTGcqHd/PhVHLlofA05zD1
 Lw3JQwlVoXKY90ozxmPw61J4G3auq2b+9dhhJIsE+d41zzEMSTsM17DWTjbabPNT0xSw
 zeT+h/k0dKs2led7tmyp4eIjN1y+XGJGqXTxzQXlc9Y0j+7cQI7OAoph6EIeqXzAq4Zl
 KbWw==
X-Gm-Message-State: ALoCoQm95gW6cFs6zA6kpmqJ9kbq343dEAbxJ/HdNagI75gSkv7darnfBhma63Fv2QWyTs9K0FWQ
MIME-Version: 1.0
X-Received: by 10.224.60.193 with SMTP id q1mr1842185qah.12.1411493634662;
 Tue, 23 Sep 2014 10:33:54 -0700 (PDT)
Received: by 10.140.108.135 with HTTP; Tue, 23 Sep 2014 10:33:54 -0700 (PDT)
In-Reply-To: <542142BC.2000409@gmail.com>
References: <541FE781.2080505@gmail.com>
 <CAJm4238JxvYicm6qy8kHVAA57Su-rGokt2Ua7RTC-yxUDYqpXQ@mail.gmail.com>
 <542142BC.2000409@gmail.com>
Date: Tue, 23 Sep 2014 10:33:54 -0700
Message-ID: <CAJm423_CG0QLpR9Z=U3Sw6nhwQ8rewL8Sqad-XdxLSCmKAC8KA@mail.gmail.com>
Subject: Re: ossec hit: Hidden process (rootkit)
From: Brandon Vincent <Brandon.Vincent@asu.edu>
To: List Monkey <listmonkey1@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 17:33:57 -0000

On Tue, Sep 23, 2014 at 2:51 AM, List Monkey <listmonkey1@gmail.com> wrote:
> The ossec-rootcheck is not present on my install (has it been deprecated?)
> I am able to use the agent-control to force a complete run. It runs
> without error.

Without more information, I would have to say it is likely a false
positive. A binary is probably not returning the value OSSEC is
expecting in regards to the system calls getsid() and kill() and the
output of ps. This is common with less popular operating systems since
the majority of individuals who use OSSEC run it on GNU/Linux. I know
this has happened with OSSEC + IBM AIX on occasion.

Brandon Vincent