ossec hit: Hidden process (rootkit)
Bw
bw.mail.lists at gmail.com
Fri Sep 26 15:53:54 UTC 2014
On 23 September 2014 20:33:54 EEST, Brandon Vincent <Brandon.Vincent at asu.edu> wrote:
>On Tue, Sep 23, 2014 at 2:51 AM, List Monkey <listmonkey1 at gmail.com>
>wrote:
>> The ossec-rootcheck is not present on my install (has it been
>deprecated?)
>> I am able to use the agent-control to force a complete run. It runs
>> without error.
>
>Without more information, I would have to say it is likely a false
>positive. A binary is probably not returning the value OSSEC is
>expecting in regards to the system calls getsid() and kill() and the
>output of ps. This is common with less popular operating systems since
>the majority of individuals who use OSSEC run it on GNU/Linux. I know
>this has happened with OSSEC + IBM AIX on occasion.
Just to confirm that I got that several times before, too. Figured the process has gone away between checks.
More information about the freebsd-security
mailing list