Rootkit detected CSA 5.0

Unanswered Question
Mar 2nd, 2007

I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?

CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?

Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality

Module System Hardening Module [W, V5.0 r176]

? Event details:

Event Text Kernel functionality has been modified by the module <[email protected]>. The module '<[email protected]>' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

Event Time 3/2/2007 5:38:03 PM

Code MODULE_MODIFY_TAG

PInt 46

PInt2 12

PString detected rootkit as Untrusted

PString2 <[email protected]>

PInt3 6

args(4) 8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090

args(5) <unknown>

time 82.2 (seconds since boot)

type EVTU

EvSrcComp 9

EvDst 1

EvDstComp 7

EvCode MODULE_USED_BY_SYS_TABLE

EvPInt 1

EvPString <[email protected]>

EvPInt2 31

EvPString2 8b542420 528b5424 20a14cc9 14e3528b

5424208b 08528b54 2420528b 54242052

8b542420 528b5424 20528b54 24205250

ff1183c4 24c22000 90909090 90909090

EvPInt3 -482933760

EvPString3 ConnectPort

FlattenedForm (t-1172875082 n-678166400 z--18000 sm-114 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-<[email protected]> i-6 a- a-8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a-<unknown> r*(type-11 time-822 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a-<[email protected]> i-31 d-lsfjGi1IurciHYuYumUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--482933760 a-ConnectPort ) ) ) ) )

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
jt3rry Sat, 03/03/2007 - 07:27

I see Cisco released BugID CSCsd04310 which basically lines up with what I'm seeing, at least that there is the potential for false positives. Is there a way I can be 100% sure? would the 5.1 CSA help at all?

tsteger1 Wed, 03/07/2007 - 10:03

5.1 probably won't make a difference. We have several ugly apps that give us similar messages.

AutoCAD and Powerbuilder 10 are the two ugliest I've seen with regards to unknown processes. I'm not sure how I'll deal with this one when we move to 5.X. I may need to create a DAC that ignores rootkits discovered after these apps fire off.

A pain...

Tom

Actions

This Discussion