Possible kernel level rootkit

[Slava G]

Hi,

Somehow I got a bunch of alerts "Process '17831' hidden from /proc. Possible kernel level rootkit." on a single server (different process numbers). 

Trying to understand if this can be a false alarm or maybe there is a real reason.

What should I do to validate that this is a false alarm ?

Please advise ?

Thanks

[Harold Andre Rodriguez Cortes]

Hi Slava G,

If you want to know why and how Wazuh is generating that alert you can read this documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/poc-detect-hidden-process.html and https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/index.html.

To find the process you can use this command:

lsmod | grep  17831

What wazuh version are you using?

Regards,
Andre Cortes

[Slava G]

Thanks Harold,

I'm using wazuh 4.4. 

I executed lsmod | grep  17831 and nothing is returned. 

So, I'm wandering if this false alarm or real case? 

Thanks 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/66ad64f8-0012-4c42-b1b4-cc1bda8089c3n%40googlegroups.com.

[Harold Andre Rodriguez Cortes]

Can you please try the steps in this configuration 

https://documentation.wazuh.com/current/proof-of-concept-guide/poc-detect-hidden-process.html

[sla...@gmail.com]

you mean configuration or attack simulation ?

The server is production server and I would like to not run any simulations on it.

Btw, tried different tools to find rootkit on that server (including ClamAV) and nothing was found.

Thanks

[Khul Sat]

Are these rootkit triggers real time? Could it be possible that parent process ended the child process and Wazuh determined that the PID is not in the /proc?

Thanks,KS

​