Date: Mon, 22 Sep 2014 11:10:25 +0200 From: List Monkey <listmonkey1@gmail.com> To: freebsd-security@freebsd.org Subject: ossec hit: Hidden process (rootkit) Message-ID: <541FE781.2080505@gmail.com>
next in thread | raw e-mail | index | archive | help
I'm running freebsd as an vm. I recently got a hit from the ossec agent: OSSEC HIDS Notification. 2014 Aug 28 03:01:34 Received From: (host) xxx.xxx.xxx.xxx->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible kernel-level rootkit. It took a couple of days for me to respond to the alert but I could not find the process. Is there any reason this could be explained because freebsd is running as a vm? Any other thoughts? __ Arne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?541FE781.2080505>