Date: Mon, 22 Sep 2014 16:57:06 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: List Monkey <listmonkey1@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: ossec hit: Hidden process (rootkit) Message-ID: <51C393BF-FEE2-4955-944C-EBD0DBA4C18C@FreeBSD.org> In-Reply-To: <541FE781.2080505@gmail.com> References: <541FE781.2080505@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 22 Sep 2014, at 11:10, List Monkey <listmonkey1@gmail.com> wrote: > I'm running freebsd as an vm. I recently got a hit from the ossec = agent: >=20 > OSSEC HIDS Notification. > 2014 Aug 28 03:01:34 >=20 > Received From: (host) xxx.xxx.xxx.xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event = (rootcheck)." > Portion of the log(s): >=20 > Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible = kernel-level rootkit. >=20 > It took a couple of days for me to respond to the alert but I could = not > find the process. > Is there any reason this could be explained because freebsd is running > as a vm? > Any other thoughts? Maybe the ossec agent software is overly paranoid, or simply missed a very short-lived process? It's hard to say without more information. -Dimitry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?51C393BF-FEE2-4955-944C-EBD0DBA4C18C>