Please help - OSSEC security warning

I am running OSSEC and I just received this message Jan 19:

OSSEC HIDS Notification.
2010 Jan 19 07:36:36

Received From: warhorse->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Port '44378'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

It seems similar to this issue:

http://www.mail-archive.com/ossec-list@ … 02059.html">http://www.mail-archive.com/ossec-list@googlegroups.com/msg02059.html

I followed those suggestions and here are the results of the investigation.

Nmap reports this (note diff port number than e-mail):

Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 18:56 Central Standard Time

Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Ping Scan Timing: About 12.50% done; ETC: 18:56 (0:00:00 remaining)
Interesting ports on <hostname>(<ip>):
PORT      STATE    SERVICE
33477/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds</ip></hostname> 

Strings reports nothing:

# strings /bin/netstat | grep 33477
# strings /bin/netstat | grep 44378
#

The inode numbers appear to be in the correct range:

ls -asli /bin | sort
 ...
 32846  48 -rwxr-xr-x  1 root root  46616 Oct 31 23:23 chgrp
 32847   8 -rwxr-xr-x  1 root root   5400 Jun  5  2009 mountpoint
 32848 108 -rwxr-xr-x  1 root root 105064 Jun  5  2009 netstat
 32849  60 -rwxr-xr-x  1 root root  55304 Oct 31 23:22 sed
 32850   4 -rwxr-xr-x  1 root root     61 Jun  5  2009 gunzip
 ...

Is there any other investigation I should do? Is it safe to conclude that the server has NOT been actually compromised? I am guessing that the rule is firing off because of large numbers of SMTP incoming connections…

Thanks!

6 Replies

What OS are your running?

What version of netstat is it supposed to be?

What is the MD5 sum of netstat?

What is the SHA1 sum of netstat?

With all of this information somebody might be able to compare the MD5 and SHA1 sums to ensure you have the correct binary. If the same version of netstat on a new/separate install does not match then I would be concerned.

Also, please tell me you didn't run nmap from the same system. If you did, the output is useless. Run it from another system.

I am running Gentoo. Kernel is Linux 2.6.18.8.

Netstat version:

$ netstat -V
net-tools 1.60
netstat 1.42 (2001-04-15)
Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others
+NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE
HW:  +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64

MD5:

821670c39a9216242efa3b4f0409cd59

SHA1:

1e03027cb6e04f848d4a05dabd29cbd58cca4b96

Can you verify those checksums?

Yeah, I ran nmap from my home PC.

Thanks.

@AtomicDog:

I am running Gentoo.

My netstat is the same version as yours, but the checksums are different. However, that depends on your compile flags. In my case:

USE for net-tools: "-nls -static"

gcc-4.3.4, glibc-2.9_p20081201-r2

CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"

LDFLAGS="-Wl,-O1" (default)

CBUILD="i686-pc-linux-gnu"

/bin/netstat (96840 bytes)

My USE flags for net-tools are:

"+nls -static"

so I guess that explains the difference in our checksums.

Not sure how you got the gcc flags to print.

/bin/netstat (105064 bytes)

Thanks.

@AtomicDog:

My USE flags for net-tools are:

"+nls -static"

so I guess that explains the difference in our checksums.

Not sure how you got the gcc flags to print.

/bin/netstat (105064 bytes)

Thanks.

To be perfectly sure, you can make an overlay, compile it with same flags as I have and see if you get same filesize as mine (although I am not sure what other deps and other package headers may be used). Then, just revert by removing the overlay and re-merging from official tree. You can also use binpkg. Although, if you are hacked, then it would have to be some highly sophisticated, gentoo only hack (that overrides portage) to prevent simple refresh with re-merging from official tree.

gcc flags and much more info is available from emerge –info, though I copypasted from make make.conf, except LDFLAGS which I don't override.

This check has been known to fp occassionally. On the other hand, I have seen it on a truly rooted box, too. Did you just install OSSEC or has it been running for awhile? You should have a syscheck database with a history of the netstat checksums.

Try: /var/ossec/bin/syscheck_control -i 000 | grep netstat

Also, what happens if you try to bind to the port (e.g. telnet localhost ?

Woops, just noticed this post was a few months old :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct