store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Mon May 20, 2013 1:50 pm

View unanswered posts | View active topics


Board index » Customer Support Forums » Atomicorp/GotRoot Realtime Modsecurity Rules Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]



Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 3 posts ] 
  Print view Previous topic | First unread post | Next topic 
Author Message
IP-Burn3r
 Post subject: Kernel-level rootkit or trojaned version of netstat.
Unread postPosted: Sun Feb 28, 2010 4:17 pm 
Offline
Forum User
Forum User

Joined: Fri Feb 06, 2009 4:39 pm
Posts: 55
I received this warning in the Security Events how and what should I do to check if this is so?

Code:
Port `53239`(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.

_________________
Linux CentOS 5.5 (Final)
Kernel Version 2.6.32.21-3.art.i686.PAE
ASL Version 2.2.11
Plesk 10.0.1

Top
 Profile  
 
IP-Burn3r
 Post subject: Re: Kernel-level rootkit or trojaned version of netstat.
Unread postPosted: Thu Mar 18, 2010 9:13 pm 
Offline
Forum User
Forum User

Joined: Fri Feb 06, 2009 4:39 pm
Posts: 55
I have since found the answer to my question --> http://www.mail-archive.com/ossec-list@googlegroups.com/msg02073.html

Now I have been trying to reproduce the error but I'm having no luck. I have ran the netstat command a few times but have never tried to replace the file, could a user of an ssh account be up to no good? That would not be hard to track down since there is only 1 user account open at this time.

Just like the link above said "Happy digging :)" (LOL) where?

_________________
Linux CentOS 5.5 (Final)
Kernel Version 2.6.32.21-3.art.i686.PAE
ASL Version 2.2.11
Plesk 10.0.1

Top
 Profile  
 
faris
 Post subject: Re: Kernel-level rootkit or trojaned version of netstat.
Unread postPosted: Fri Mar 19, 2010 7:15 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 1845
At this stage I expect it is more likely to be a false positive than anything else.

Have you run rkhunter and chkrootkit to see if they can find anything? (warning: you may see false positives from them too, especially with the signatures of certain binaries including netstat).

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic Share/Bookmark  Page 1 of 1
  [ 3 posts ] 

Board index » Customer Support Forums » Atomicorp/GotRoot Realtime Modsecurity Rules Support

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group