ossec hit: Hidden process (rootkit)
Dimitry Andric
dim at FreeBSD.org
Mon Sep 22 15:21:42 UTC 2014
On 22 Sep 2014, at 11:10, List Monkey <listmonkey1 at gmail.com> wrote:
> I'm running freebsd as an vm. I recently got a hit from the ossec agent:
>
> OSSEC HIDS Notification.
> 2014 Aug 28 03:01:34
>
> Received From: (host) xxx.xxx.xxx.xxx->rootcheck
> Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
> Portion of the log(s):
>
> Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible kernel-level rootkit.
>
> It took a couple of days for me to respond to the alert but I could not
> find the process.
> Is there any reason this could be explained because freebsd is running
> as a vm?
> Any other thoughts?
Maybe the ossec agent software is overly paranoid, or simply missed a
very short-lived process? It's hard to say without more information.
-Dimitry
More information about the freebsd-security
mailing list