Please help - OSSEC security warning
OSSEC HIDS Notification.
2010 Jan 19 07:36:36
Received From: warhorse->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Port '44378'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.
It seems similar to this issue:
I followed those suggestions and here are the results of the investigation.
Nmap reports this (note diff port number than e-mail):
Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-20 18:56 Central Standard Time
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Ping Scan Timing: About 12.50% done; ETC: 18:56 (0:00:00 remaining)
Interesting ports on <hostname>(<ip>):
PORT STATE SERVICE
33477/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 2.06 seconds</ip></hostname>
Strings reports nothing:
# strings /bin/netstat | grep 33477
# strings /bin/netstat | grep 44378
#
The inode numbers appear to be in the correct range:
ls -asli /bin | sort
...
32846 48 -rwxr-xr-x 1 root root 46616 Oct 31 23:23 chgrp
32847 8 -rwxr-xr-x 1 root root 5400 Jun 5 2009 mountpoint
32848 108 -rwxr-xr-x 1 root root 105064 Jun 5 2009 netstat
32849 60 -rwxr-xr-x 1 root root 55304 Oct 31 23:22 sed
32850 4 -rwxr-xr-x 1 root root 61 Jun 5 2009 gunzip
...
Is there any other investigation I should do? Is it safe to conclude that the server has NOT been actually compromised? I am guessing that the rule is firing off because of large numbers of SMTP incoming connections…
Thanks!
6 Replies
What version of netstat is it supposed to be?
What is the MD5 sum of netstat?
What is the SHA1 sum of netstat?
With all of this information somebody might be able to compare the MD5 and SHA1 sums to ensure you have the correct binary. If the same version of netstat on a new/separate install does not match then I would be concerned.
Also, please tell me you didn't run nmap from the same system. If you did, the output is useless. Run it from another system.
Netstat version:
$ netstat -V
net-tools 1.60
netstat 1.42 (2001-04-15)
Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others
+NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE
HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64
MD5:
821670c39a9216242efa3b4f0409cd59
SHA1:
1e03027cb6e04f848d4a05dabd29cbd58cca4b96
Can you verify those checksums?
Yeah, I ran nmap from my home PC.
Thanks.
@AtomicDog:
I am running Gentoo.
My netstat is the same version as yours, but the checksums are different. However, that depends on your compile flags. In my case:
USE for net-tools: "-nls -static"
gcc-4.3.4, glibc-2.9_p20081201-r2
CFLAGS="-O2 -march=pentium4 -pipe -fomit-frame-pointer"
LDFLAGS="-Wl,-O1" (default)
CBUILD="i686-pc-linux-gnu"
/bin/netstat (96840 bytes)
"+nls -static"
so I guess that explains the difference in our checksums.
Not sure how you got the gcc flags to print.
/bin/netstat (105064 bytes)
Thanks.
@AtomicDog:
My USE flags for net-tools are:
"+nls -static"
so I guess that explains the difference in our checksums.
Not sure how you got the gcc flags to print.
/bin/netstat (105064 bytes)
Thanks.
To be perfectly sure, you can make an overlay, compile it with same flags as I have and see if you get same filesize as mine (although I am not sure what other deps and other package headers may be used). Then, just revert by removing the overlay and re-merging from official tree. You can also use binpkg. Although, if you are hacked, then it would have to be some highly sophisticated, gentoo only hack (that overrides portage) to prevent simple refresh with re-merging from official tree.
gcc flags and much more info is available from emerge –info, though I copypasted from make make.conf, except LDFLAGS which I don't override.
Try: /var/ossec/bin/syscheck_control -i 000 | grep netstat
Also, what happens if you try to bind to the port (e.g. telnet localhost
Woops, just noticed this post was a few months old