On 22 Sep 2014, at 11:10, List Monkey <listmonk...@gmail.com> wrote: > I'm running freebsd as an vm. I recently got a hit from the ossec agent: > > OSSEC HIDS Notification. > 2014 Aug 28 03:01:34 > > Received From: (host) xxx.xxx.xxx.xxx->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." > Portion of the log(s): > > Process '9990' hidden from kill (1), getsid (0) or getpgid. Possible > kernel-level rootkit. > > It took a couple of days for me to respond to the alert but I could not > find the process. > Is there any reason this could be explained because freebsd is running > as a vm? > Any other thoughts?
Maybe the ossec agent software is overly paranoid, or simply missed a very short-lived process? It's hard to say without more information. -Dimitry _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
