RE: Anomaly detected rootkit

606 views
Skip to first unread message

Adiel Navarro

unread,
May 23, 2016, 5:30:51 PM5/23/16
to Santiago Bassett, Aj Navarro, Wazuh mailing list

Do you see the file if you do "ls -la /etc/vx/"?

NO

 

What is the output of "stat /etc/vx/.reclaim.lock"? 

[root@ixtrtc42scf ~]# stat /etc/vx/.reclaim.lock

stat: cannot stat `/etc/vx/.reclaim.lock': No such file or directory

 

 

 

De: wa...@googlegroups.com [mailto:wa...@googlegroups.com] En nombre de Santiago Bassett
Enviado el: lunes, 23 de mayo de 2016 03:44 p.m.
Para: Aj Navarro
CC: Wazuh mailing list
Asunto: Re: Anomalu detected rootkit

 

Hi,

 

readdir and stat are two different system calls. OSSEC uses both to open your monitored files. In this case, what happens is that "stat" is not able to find the file, what is suspicious, as it could be found by" readdir".

 

Do you see the file if you do "ls -la /etc/vx/"?

 

What is the output of "stat /etc/vx/.reclaim.lock"? 

 

There are high chances that this is just a false positive. Shared file systems (possibly used by Veritas Backup in this case), use locking services to manage file access and to avoid conflicts during sessions. Is that file actually part of a shared file system? Maybe that is why it can't be read some times.

 

I hope it helps,

 

Santiago.

 

On Mon, May 23, 2016 at 12:54 PM, Aj Navarro <ajnava...@gmail.com> wrote:

Anomaly detected in file '/etc/vx/.reclaim.lock'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

 

What i need to check?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/25aaa3b5-8e6d-49cb-9b01-6a1074e8a7e7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAEb-Ba_hXF9TEvM7gJivVoPBC8zhK1GJX9pwrgBNffXB_pconw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Santiago Bassett

unread,
May 23, 2016, 5:45:49 PM5/23/16
to Adiel Navarro, Aj Navarro, Wazuh mailing list
As mentioned, don't worry about it. Most likely a false positive caused by a temporary file.
Reply all
Reply to author
Forward
0 new messages