From owner-freebsd-security@FreeBSD.ORG  Mon Sep 22 15:21:42 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 07F5ED0C
 for <freebsd-security@freebsd.org>; Mon, 22 Sep 2014 15:21:42 +0000 (UTC)
Received: from tensor.andric.com (unknown
 [IPv6:2001:7b8:3a7:1:2d0:b7ff:fea0:8c26])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (Client CN "tensor.andric.com", Issuer "CAcert Class 3 Root" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id BDAE78AA
 for <freebsd-security@freebsd.org>; Mon, 22 Sep 2014 15:21:41 +0000 (UTC)
Received: from [192.168.2.2] (unknown [77.243.161.229])
 (using TLSv1 with cipher AES128-SHA (128/128 bits))
 (No client certificate requested)
 by tensor.andric.com (Postfix) with ESMTPSA id E5D62B803;
 Mon, 22 Sep 2014 17:21:35 +0200 (CEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Subject: Re: ossec hit: Hidden process (rootkit)
From: Dimitry Andric <dim@FreeBSD.org>
In-Reply-To: <541FE781.2080505@gmail.com>
Date: Mon, 22 Sep 2014 16:57:06 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <51C393BF-FEE2-4955-944C-EBD0DBA4C18C@FreeBSD.org>
References: <541FE781.2080505@gmail.com>
To: List Monkey <listmonkey1@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
X-Mailman-Approved-At: Mon, 22 Sep 2014 15:35:13 +0000
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 15:21:42 -0000

On 22 Sep 2014, at 11:10, List Monkey <listmonkey1@gmail.com> wrote:
> I'm running freebsd as an vm. I recently got a hit from the ossec =
agent:
>=20
> OSSEC HIDS Notification.
> 2014 Aug 28 03:01:34
>=20
> Received From: (host) xxx.xxx.xxx.xxx->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event =
(rootcheck)."
> Portion of the log(s):
>=20
> Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible =
kernel-level rootkit.
>=20
> It took a couple of days for me to respond to the alert but I could =
not
> find the process.
> Is there any reason this could be explained because freebsd is running
> as a vm?
> Any other thoughts?

Maybe the ossec agent software is overly paranoid, or simply missed a
very short-lived process?  It's hard to say without more information.

-Dimitry