4

I and just installed OSSEC and it is telling this 

Process '2517' hidden from /proc. Possible kernel level rootkit.
Excessive number of hidden processes. It maybe a false-positive or something really bad is going on.

Its my live server and i host around 20 sites on it.

How can i remove that. and what maximum damage it can do

radius
  • 9,633
  • 25
  • 45

3 Answers3

2

Do you see that hidden process every time you run OSSEC? If you see it only once, it could be that there was a delay between when OSSEC got the info from ps (say) and then it checked it against /proc. In the meanwhile the process may have terminated, raising the alert you just saw.

Dan Andreatta
  • 5,454
  • 2
  • 24
  • 14
1

It would probably be a good thing to install and run rkhunter. If this confirms that you have been compromised then your only realistic action is to make a copy of the compromised server to analyse later then reinstall from scratch and recover using known good backups.

user9517
  • 115,471
  • 20
  • 215
  • 297
0

It might be that OSSEC is using the unhide utility to check for hidden processes. This tool sometimes raises false-positives.

You can check yourself by running unhide proc or unhide-linux26 proc for a 64bit system.

weeheavy
  • 4,089
  • 1
  • 28
  • 41