|
|
| Subject: | OSSEC rootkit check on zenping_nmap |
| Author: | Gregg Hughes |
| Posted: | 2015-04-15 10:22 |
Good morning!
My OSSEC security server tripped an alarm this morning on a Zenoss file. The alarm text is: Anomaly detected in file '/tmp/zenping_nmap_DneZP0'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
This temp file shows up with the final portion of the filename changed. It's written and deleted within a few minutes. I need to check that this is normal and expected behaviour.
Thanks!
Gregg
| Subject: | my guess is you had a race |
| Author: | Andrew Kirch |
| Posted: | 2015-04-15 15:57 |
my guess is you had a race condition occur. This is normal zenping behavior (The creation of the temp file). It's unlikely that the file existed when the stats test was run, it was created, then the readdir test was run.
Andrew Kirch
akirch@gvit.com
Need Zenoss support, consulting or custom development Look no further. Email or PM me!
Ready for Distributed Topology (collectors) for Zenoss 5 Coming May 1st from GoVanguard
| < |
Previous zenoss upgrading procedure possible from 5.0 to 5.1 |
Next zenoss5 app stuck at 'starting service' upon host reboot |
> |