Possible Rootkit

90 views
Skip to first unread message

LNick

unread,
Mar 22, 2007, 1:36:54 PM3/22/07
to ossec-list
Hello!

First let me express how impressed I am with OSSEC! This is a great
tool!

I just installed OSSEC and have a server and 1 agent (so far).
However the agent fired off the following notifications quickly after
being installed. This is an Ubuntu Edgy server install with ssh and
vsftp. I'm not experienced enough with either linux or Ubuntu to know
if these are standard files or not.

Thanks for your help!

LNick
----

OSSEC HIDS Notification.
2007 Mar 20 16:53:39

Received From: (MB_FTP) 10.1.1.9->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

File '/sys/module/sbs/parameters/update_mode' is owned by root and has
written permissions to anyone.

--END OF NOTIFICATION

OSSEC HIDS Notification.
2007 Mar 20 16:53:40

Received From: (MB_FTP) 10.1.1.9->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

File '/sys/module/sbs/parameters/capacity_mode' is owned by root and
has written permissions to anyone.

--END OF NOTIFICATION

OSSEC HIDS Notification.
2007 Mar 20 16:53:27

Received From: (MB_FTP) 10.1.1.9->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

File '/dev/bus/usb/.usbfs/001/001' present on /dev. Possible hidden
file.

--END OF NOTIFICATION

OSSEC HIDS Notification.
2007 Mar 20 16:53:28

Received From: (MB_FTP) 10.1.1.9->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

File '/dev/bus/usb/.usbfs/devices' present on /dev. Possible hidden
file.

--END OF NOTIFICATION

OSSEC HIDS Notification.
2007 Mar 20 16:53:28

Received From: (MB_FTP) 10.1.1.9->rootcheck
Rule: 14 fired (level 8) -> "Rootkit detection engine message"
Portion of the log(s):

Anomaly detected in file '/dev/bus/usb/.usbfs/devices'. File size
doesn't match what we found. Possible kernel level rootkit.

--END OF NOTIFICATION

LNick

unread,
Mar 22, 2007, 1:40:54 PM3/22/07
to ossec-list

Oh I forgot to mention that I also installed chkrootkit and rkhunter
on this system. Chkrootkit did not find anything. rkhunter found
some hidden directories which investigation on various forums seems to
indicate is normal for Ubuntu. the directories are:

/etc/.pwd.lock
/dev/.static
/dev/.udev
/dev/.initramfs
/dev/.initramfs-tools

Thank you!

Mark Haney

unread,
Mar 22, 2007, 2:43:07 PM3/22/07
to ossec...@googlegroups.com

As to that I can say that those alerts aren't a sign you've been hacked.
I get those same type messages from rkhunter on my debian boxes.
Ubuntu being an offshoot of debian, I would think that's probably par
for the course and nothing to worry about.


--
Ita erat quando hic adveni.

Mark Haney
Sr. Systems Administrator
ERC Broadband
(828) 350-2415

LNick

unread,
Mar 26, 2007, 1:13:10 PM3/26/07
to ossec-list

Great! I'm glad to have someone knowledgeable confirm that.

Can anyone comment about the OSSEC messages? I didn't get anything
like that on my OSSEC server (same OS, no FTP) so I'm thinking I
should rebuild it.

Reply all
Reply to author
Forward
0 new messages