ossec hit: Hidden process (rootkit)
List Monkey
listmonkey1 at gmail.com
Mon Sep 22 09:10:30 UTC 2014
I'm running freebsd as an vm. I recently got a hit from the ossec agent:
OSSEC HIDS Notification.
2014 Aug 28 03:01:34
Received From: (host) xxx.xxx.xxx.xxx->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):
Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible kernel-level rootkit.
It took a couple of days for me to respond to the alert but I could not
find the process.
Is there any reason this could be explained because freebsd is running
as a vm?
Any other thoughts?
__
Arne
More information about the freebsd-security
mailing list