rootkit or trojaned version netstat alerts

[Clayton Dillard]

I've received several alerts from one host where ossec is telling me that due to several ephemeral, hidden TCP ports being open/listening that the box might be rooted or have a trojaned netstat.  I've run chkrootkit and the system passes.  It's true that netstat does not see these ports in use.  How can I verify this and how accurate is the ossec alert/check?

Here's an example alert from OSSEC:

OSSEC HIDS Notification.
2007 Jul 25 12:03:50

Received From: (BOXEN01) 1.2.3.4->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Port '33477'(tcp) hidden. Kernel-level rootkit or trojaned version of netstat.



 --END OF NOTIFICATION


Thanks,

-- Clayton Dillard <cdil...@rpstechnology.com> RPS Technology, LLC

[Dave Lowe]

Hi Clayton

Is the server actually listening on TCP 33477?
Check your firewall logs for connections to that server:port.
Run a portscan against that server from another host on the same subnet.
ie #nmap -sT -p 33477 1.2.3.4

IF your server is compromised with a rootkit and is listening on TCP 33477 or any other hidden ports for that matter, do not continue with my following suggestions :)  If your server is compromised, you should take an image of it before continuing and perform these checks on the image.

On the server, you can check the inode for netstat binary.
1. Locate the directory that the netstat binary is in:
# which  netstat
/bin/netstat

2. Check the inodes for files in /bin
# ls -asli /bin | sort
example:
2146377  104 -rwxr-xr-x  1 root root   99456 2006-10-16 22:30 netstat
..............
2146427    8 -rwxr-xr-x  1 root root    4137 2007-01-17 01:19 zgrep
2146428    4 -rwxr-xr-x  1 root root    1456 2007-01-17 01:19 zless
2146429    4 -rwxr-xr-x  1 root root    2397 2007-01-17 01:19 zmore
2146430    8 -rwxr-xr-x  1 root root    4922 2007-01-17 01:19 znew

The inode for netstat should be within the same basic range as the other binaries in /bin
If netstat has been replaced as part of a rootkit, its inode will more than likely be in a complete different range to the  other binaries.
ie
98772     104 -rwxr-xr-x  1 root root   99456 2006-10-16 22:30 netstat
..............
2146427    8 -rwxr-xr-x  1 root root    4137 2007-01-17 01:19 zgrep
2146428    4 -rwxr-xr-x  1 root root    1456 2007-01-17 01:19 zless
2146429    4 -rwxr-xr-x  1 root root    2397 2007-01-17 01:19 zmore
2146430    8 -rwxr-xr-x  1 root root    4922 2007-01-17 01:19 znew

You can also run a trusted netstat from a helix cdrom and see if the server really is listening on tcp 33477.
Helix: http://www.e-fense.com/helix/

Theres so many things you can do.
#strings /bin/netstat | grep 33477   would also be handy


Happy digging :)

SaintN

[Dave Lowe]

[Dave Lowe]

[Dave Lowe]

[Ken A]

If you have a busy server that runs a daemon that opens and closes high
ports quickly, ossec can generate false positives on this rule. I see it
fairly often with ftp & smtp.
Ken

--
Ken Anderson
Pacific.Net

[Daniel Cid]

That might also be the problem (bug in the linux kernel):

from: http://www.ossec.net/dcid/?p=87

"
If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I
may have figured out one of the possible causes today (and no, it is
not a rootkit). To keep the story short: if you bind any TCP port, but
do not listen on it, netstat will not show it at all (the same does
not happen with UDP ports).

Here is the idea. If you get this simple C program, it will attempt to
bind every TCP port from 1025 to 1050, but it will not listen on them.
After it is done, if you do a netstat (or fuser or lsof) nothing will
be shown. However, if you try to use the port, you will get an error
saying that it is already in use.
"

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

[Thorne Lawler]

Daniel,

Does this mean that the rootkit checker is going to be updated to cope
with this?

I know it's a nuisance, but this is an issue which has cost me many
night's sleep: nothing feeds a good old fashioned case of raving paranoia
like the occasional unreproducible report of a rootkit on your machine!

--
Thorne Lawler

Technical Consultant
ICT Outsourcing Services | Infrastructure Services | Unix Storage and
Delivery
KAZ Group Pty Ltd
360 Elizabeth Street | Melbourne Victoria 3000
(03) 9631 1747 | 0408 491 552 | Fax: (03) 9654 7334
thorne...@kaz-group.com | www.kaz-group.com
--------------------------------------------------------------------------------
This communication may contain confidential information and/or copyright
material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies
corporate. It may also be the subject of legal professional privilege. If
you
are not an intended recipient, you must not keep, forward, copy, use, save
or
rely on this communication and any such action is unauthorised and
prohibited.
If you have received this communication in error, please reply to this
e-mail to
notify the sender of its incorrect delivery, and then delete both it and
your
reply

Daniel Cid <danie...@gmail.com>
Sent by: ossec...@googlegroups.com
27/07/2007 10:26 AM
Please respond to
ossec...@googlegroups.com

To
ossec...@googlegroups.com
cc

Subject
[ossec-list] Re: rootkit or trojaned version netstat alerts

from: http://www.ossec.net/dcid/?p=87

Hope it helps.

This communication may contain confidential information and/or copyright material of KAZ Group Pty Ltd ABN 25 002 124 405 and its related bodies corporate. It may also be the subject of legal professional privilege. If you are not an intended recipient, you must not keep, forward, copy, use, save or rely on this communication and any such action is unauthorised and prohibited. If you have received this communication in error, please reply to this e-mail to notify the sender of its incorrect delivery, and then delete both it and your reply.