Category Archives: rootkit

Rootcheck updated to v2.0

Directly from: http://www.ossec.net/main/rootcheck-updated-to-v20 Rootcheck is responsible for the rootkit detection, system auditing and policy monitoring parts of OSSEC. However, if you want to check your systems without installing the whole OSSEC package, you can run Rootcheck separately to give you … Continue reading

Posted in ossec, rootcheck, rootkit | Leave a comment

Hidden ports on Linux

If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind any … Continue reading

Posted in linux, rootkit | 4 Comments

Finding ADS on NTFS

ADS (Alternate Data Streams) is a “feature” of the NTFS (file system used on Windows 2000, XP, etc) that permit files to be completely hidden from the system. You can read more about ADS in these two links: windowsecurity.com ADS … Continue reading

Posted in ossec, rootkit | 1 Comment

Rootcheck entry for the “Solaris Worm”

If you are running Solaris 10 and are worried about the possible Solaris Worm, you can add the following 4 lines to the /var/ossec/etc/shared/rootkit_files.txt file at your ossec server. It will automatically update the rootcheck config for all your agents. … Continue reading

Posted in ossec, rootkit | Leave a comment

Is Open Source Rootkit Detection Behind The Curve?

The guys from matasano posted in their blog an entry about the current state of open source rootkit detection. While I agree that we are way behind the latest rootkit technologies (specially for windows), if you look at the public … Continue reading

Posted in ossec, rootkit | Leave a comment