03-02-2007 03:29 PM - edited 03-10-2019 03:29 AM
I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?
CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?
Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality
Module System Hardening Module [W, V5.0 r176]
? Event details:
Event Text Kernel functionality has been modified by the module <unknown@0xe3370400>. The module '<unknown@0xe3370400>' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.
Event Time 3/2/2007 5:38:03 PM
Code MODULE_MODIFY_TAG
PInt 46
PInt2 12
PString detected rootkit as Untrusted
PString2 <unknown@0xe3370400>
PInt3 6
args(4) 8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090
args(5) <unknown>
time 82.2 (seconds since boot)
type EVTU
EvSrcComp 9
EvDst 1
EvDstComp 7
EvCode MODULE_USED_BY_SYS_TABLE
EvPInt 1
EvPString <unknown@0xe3370400>
EvPInt2 31
EvPString2 8b542420 528b5424 20a14cc9 14e3528b
5424208b 08528b54 2420528b 54242052
8b542420 528b5424 20528b54 24205250
ff1183c4 24c22000 90909090 90909090
EvPInt3 -482933760
EvPString3 ConnectPort
FlattenedForm (t-1172875082 n-678166400 z--18000 sm-114 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-<unknown@0xe3370400> i-6 a- a-8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a-<unknown> r*(type-11 time-822 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a-<unknown@0xe3370400> i-31 d-lsfjGi1IurciHYuYumUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--482933760 a-ConnectPort ) ) ) ) )
03-03-2007 07:27 AM
I see Cisco released BugID CSCsd04310 which basically lines up with what I'm seeing, at least that there is the potential for false positives. Is there a way I can be 100% sure? would the 5.1 CSA help at all?
03-07-2007 10:03 AM
5.1 probably won't make a difference. We have several ugly apps that give us similar messages.
AutoCAD and Powerbuilder 10 are the two ugliest I've seen with regards to unknown processes. I'm not sure how I'll deal with this one when we move to 5.X. I may need to create a DAC that ignores rootkits discovered after these apps fire off.
A pain...
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide