Wazuh Possible Kernel Level Rootkit

[Johnathan Amos]

Hi Everyone,

We are getting the below message on one of our servers. I am stumped on how I am suppose to get logs for this hidden process and to be able to track it down. I ran mulitple different ps commands and I am stumped. This is on a CentOS7 box. Anything would help.

Thank you!

Rule: 521 fired (level 11) -> "Possible kernel level rootkit"

Portion of the log(s):

Process '29096' hidden from /proc. Possible kernel level rootkit.

title: Process '29096' hidden from /proc.

[Fabricio Brunetti]

Hi Johnathan,

If you want to know why and how Wazuh is generating that alert you can read this documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/poc-detect-hidden-process.html and https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/index.html.
To find the process you can use this command:

lsmod | grep 29096

Let me know if this was helpful to you.

Regards,

Fabricio

[Johnathan Amos]

Good Afternoon,

Thank you for your response. In regards to this, I am more looking for how to track down this "hidden process" so i can figure out what it was and or if it was a false alarm. The command you gave returns nothing. Is there any other way to get the logs of this process or anything so I can identify it?

Thank you!

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/aaaf08f6-772e-4304-b8cd-053361ea10a4n%40googlegroups.com.

[Khul Sat]

+1

If anyone knows remediation.