Possible kernel level rootkit

397 views
Skip to first unread message

Slava G

unread,
Jun 28, 2023, 10:50:50 AM6/28/23
to Wazuh mailing list
Hi,
Somehow I got a bunch of alerts "Process '17831' hidden from /proc. Possible kernel level rootkit." on a single server (different process numbers). 
Trying to understand if this can be a false alarm or maybe there is a real reason.
What should I do to validate that this is a false alarm ?

Please advise ?
Thanks

Harold Andre Rodriguez Cortes

unread,
Jun 28, 2023, 5:35:33 PM6/28/23
to Wazuh mailing list
Hi Slava G,

If you want to know why and how Wazuh is generating that alert you can read this documentation: https://documentation.wazuh.com/current/proof-of-concept-guide/poc-detect-hidden-process.html and https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/index.html.

To find the process you can use this command:

lsmod | grep  17831

What wazuh version are you using?

Regards,
Andre Cortes

Slava G

unread,
Jun 29, 2023, 12:42:28 AM6/29/23
to Harold Andre Rodriguez Cortes, Wazuh mailing list
Thanks Harold,
I'm using wazuh 4.4. 
I executed lsmod | grep  17831 and nothing is returned. 

So, I'm wandering if this false alarm or real case? 
Thanks 


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/66ad64f8-0012-4c42-b1b4-cc1bda8089c3n%40googlegroups.com.

Harold Andre Rodriguez Cortes

unread,
Jun 29, 2023, 2:06:50 PM6/29/23
to Wazuh mailing list

sla...@gmail.com

unread,
Jun 30, 2023, 8:21:21 AM6/30/23
to Wazuh mailing list
you mean configuration or attack simulation ?
The server is production server and I would like to not run any simulations on it.
Btw, tried different tools to find rootkit on that server (including ClamAV) and nothing was found.

Thanks

Khul Sat

unread,
Dec 5, 2023, 5:57:55 AM12/5/23
to Wazuh | Mailing List

Are these rootkit triggers real time? Could it be possible that parent process ended the child process and Wazuh determined that the PID is not in the /proc?

Thanks,KS

Reply all
Reply to author
Forward
0 new messages