|
OSSEC warning Suckit rootkit
1 Attachment(s)
Hi,
I just bought a VPS provide by Linode yesterday. This VPS running on Centos 6.0, I've installed OSSEC in it, and today I got a mail warning: Trojaned version of file '/proc/1/maps' detected. Signature used: 'init.' (Suckit rootkit). So I install rkhunter and do a scan, the summary is System checks summary ===================== File properties checks... Files checked: 138 Suspect files: 136 Rootkit checks... Rootkits checked : 246 Possible rootkits: 0 Applications checks... Applications checked: 4 Suspect applications: 2 Is it false alarm? I'm attached rkhunter log in this post. |
If it's rule 510 (part of rootcheck) then it probably is as false positives wrt OSSEC-HIDS have been posted. Please note 0) both Chkrootkit and the rootkit-checking part of OSSEC-HIDS aren't exactly updated often and 1) more importantly: please ensure you use multiple layers of security and take care of hardening and auditing before exposing a host to the IntarWEB.
|
Thanks for the reply.
|
Out of curiosity, did you perchance perform an update shortly before you saw this warning? I've noticed that these warnings most often occur as a result of updates and pieces being left in memory following an update and before a reboot, which clears the left over pieces.
|
Yes, we did a yum update. It could be what you said is true, because next day we did another update and reboot the system, since then no more warning mail.
|
I did a search on the terms '/proc/1/maps suckit rootkit and came up with this thread: http://ubuntuforums.org/archive/inde...t-1554553.html It turns out I saw the exact same issue with Ossec about a year and a half ago. The link also indicates a couple of easy diagnostics you can perform to verify that it is false.
|
Thanks Noway2, very good piece of info.
I did what they suggested, so now I'm sure is false alarm. |
| All times are GMT -5. The time now is 07:29 PM. |