From owner-freebsd-security@FreeBSD.ORG Fri Sep 26 15:53:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B766ACD for ; Fri, 26 Sep 2014 15:53:54 +0000 (UTC) Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E055FDEA for ; Fri, 26 Sep 2014 15:53:53 +0000 (UTC) Received: by mail-wi0-f169.google.com with SMTP id hi2so1289431wib.2 for ; Fri, 26 Sep 2014 08:53:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=user-agent:in-reply-to:references:mime-version :content-transfer-encoding:content-type:subject:from:date:to:cc :message-id; bh=YNa8/PrWAY5b5pMFD6l63Mw+aBJfSFFVFyPUK1cU3nY=; b=QAcF+tbluDv9XlcXItur4+YBPKx9S1hQfc3mz//gpmbzY0yY3YyrxmAUzo/FNh0A0H 8IWqLwaGvreEcg5FtSKcVWLi9YY+8eZLSLYuAPvwZ0H7KH71HNBkuum74JK3iRHqTyGP /5u1G1M9VlayWyjD7fg/Zr17tCWOx0d+JrxfFTDiy7fKCILJzwytnXPKZfRxodZSzhUY 6QWykThSIevqqPDUHingAkbCUCH5ApjDhbrNLzDEvNBADggsJZmNxdb1bjsHidFBoNhZ ETZ7UjTULwEJat6dZrL1Si7skXnUA1qWrkU9bJ1rCGnU1h32ugCJv7UkPgRWDiWy8JOl 5vxQ== X-Received: by 10.180.187.144 with SMTP id fs16mr46565685wic.75.1411746832133; Fri, 26 Sep 2014 08:53:52 -0700 (PDT) Received: from [10.146.131.243] ([109.166.136.3]) by mx.google.com with ESMTPSA id pn5sm6633795wjc.4.2014.09.26.08.53.49 for (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 26 Sep 2014 08:53:51 -0700 (PDT) User-Agent: K-9 Mail for Android In-Reply-To: References: <541FE781.2080505@gmail.com> <542142BC.2000409@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: ossec hit: Hidden process (rootkit) From: Bw Date: Fri, 26 Sep 2014 10:21:29 +0300 To: List Monkey Message-ID: <39A16A80-547B-4AAA-AC5E-E5FBB371332B@gmail.com> Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 15:53:54 -0000 On 23 September 2014 20:33:54 EEST, Brandon Vincent wrote: >On Tue, Sep 23, 2014 at 2:51 AM, List Monkey >wrote: >> The ossec-rootcheck is not present on my install (has it been >deprecated?) >> I am able to use the agent-control to force a complete run. It runs >> without error. > >Without more information, I would have to say it is likely a false >positive. A binary is probably not returning the value OSSEC is >expecting in regards to the system calls getsid() and kill() and the >output of ps. This is common with less popular operating systems since >the majority of individuals who use OSSEC run it on GNU/Linux. I know >this has happened with OSSEC + IBM AIX on occasion. Just to confirm that I got that several times before, too. Figured the process has gone away between checks.