Thanks for the additional data. The alert isnt wrong, theres a bizarre process on these systems that opens a highport and doesnt report what process it is. For example:

tcp 0.0.0.0:22 0.0.0.0:* 29733/sshd
tcp 0.0.0.0:10050 0.0.0.0:* -

We ignore highports for known processes that do this (like ftp for example) lsof isnt catching the process on the systems I was given root to either, so its a race with fuser to try and find what it is. Its moot anyway, because whatever it is its only for a second and its not a named listener. I'm thinking it might be named, NFS or an RPC process, because FTP daemons always name their listeners. Are any of you using NFS, RPC or LDAP processes?

An update for an unnamed process is on the way in the next release. For now, blame the knuckleheads that wrote their code like this. Its baffling why they wouldnt expose the process thats holding the socket open.

A testing build is available for this issue, if you want to try it run these commands as root:

yum --enablerepo=asl-3.0-testing upgrade asl asl-web asl-waf-module

asl -s -f

Ok nice work will try it

And if you see it happen repeatedly, it means there is another mysterious process running on a high port that we need to ignore. Basically what we need, ideally, is a netstat -lntp with the socket listening.

But, thats not always feasible with these "on for a second" listeners.

I threw a super hack of a script together in a hurry to catch it, but I'll have to find it again. If I had more time I'd make it smarter, but it was all I needed at the time.

This update has fixed the issue for me

Great work again

Sneaky little processes too. If you see any other examples, let us know. We're also on the look out for other apps that do this and will keep updating accordingly. That part of ASL is going to become part of the rule updates, which will make it simpler to update rules like this. Right now they are part of the asl rpms, and we dont want folks to have to upgrade for minor changes like this.

Nope - nothing like that in use here - unless it is active from a default Plesk 10.4 install?

Mine is still alerting, but just installed 27-1 and will leave it overnight to see if anything happens.

Spoke to soon... just after I updated, two appeared.



The 3xxx port is my altered SSH port (am I being too paranoid blanking it out here?! ha!) it is in the 3000's and is the only non-standard port on the list really?

Not quite sure about 106 though?

You should get an alert when you update, the ports will have changed (because certain ports are ignored now).



Thats a cached alert from your previous build, that line is different in .27.

Thanks, will keep an eye on it in the morning then.

Make sure you restart OSSEC just in case it has not loaded the new config:

/etc/init.d/ossec-hids restart

We're going to add in reporting the application name in the next release. We thought about including the pid, but havent sorted out how we want to do that yet - its gonna change and that might not be important and we dont want to alert on that.

Restarted and just checked again... still happening - four of them in quick succession:



After double checking I was running the correct version:


I've checked and no new updates are available!


Am I missing something obvious here?

Maybe not obvious, but yum isnt as clever as you might hope, your cache probably needs to be cleaned. Just run this command:

yum clean all

yum probably doesnt think the update isnt an update (it probably thinks it already has it, when it doesnt).

So we wrote a new tool to do this, it will be going out in 3.0.28. You'll see the process name now, which will help alot to figure out what may be there.

Incase this helps

cPanel Box.



Although these aren't showing up that often, maybe only after updates or something. But I'll keep looking.