Date: Tue, 23 Sep 2014 10:33:54 -0700 From: Brandon Vincent <Brandon.Vincent@asu.edu> To: List Monkey <listmonkey1@gmail.com> Cc: freebsd-security@freebsd.org Subject: Re: ossec hit: Hidden process (rootkit) Message-ID: <CAJm423_CG0QLpR9Z=U3Sw6nhwQ8rewL8Sqad-XdxLSCmKAC8KA@mail.gmail.com> In-Reply-To: <542142BC.2000409@gmail.com> References: <541FE781.2080505@gmail.com> <CAJm4238JxvYicm6qy8kHVAA57Su-rGokt2Ua7RTC-yxUDYqpXQ@mail.gmail.com> <542142BC.2000409@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 23, 2014 at 2:51 AM, List Monkey <listmonkey1@gmail.com> wrote: > The ossec-rootcheck is not present on my install (has it been deprecated?) > I am able to use the agent-control to force a complete run. It runs > without error. Without more information, I would have to say it is likely a false positive. A binary is probably not returning the value OSSEC is expecting in regards to the system calls getsid() and kill() and the output of ps. This is common with less popular operating systems since the majority of individuals who use OSSEC run it on GNU/Linux. I know this has happened with OSSEC + IBM AIX on occasion. Brandon Vincent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAJm423_CG0QLpR9Z=U3Sw6nhwQ8rewL8Sqad-XdxLSCmKAC8KA>