Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Rootkit detected CSA 5.0

I'm trying to determine if the logs I'm getting in CSA are an accurate report of a rootkit, or could they be false positive?

CSA reports two of my hosts both XP Pro are in Untrusted Rootkit mode. error messages look similar, but using 3rd party tools show no sign of a rootkit. How can I determine if this is a false positive?

Description Set Rootkit detected as Untrusted, All hashes and codes modify kernel functionality

Module System Hardening Module [W, V5.0 r176]

? Event details:

Event Text Kernel functionality has been modified by the module <unknown@0xe3370400>. The module '<unknown@0xe3370400>' is used by entries in the System syscall table. The specified action was taken to set detected rootkit as Untrusted.

Event Time 3/2/2007 5:38:03 PM

Code MODULE_MODIFY_TAG

PInt 46

PInt2 12

PString detected rootkit as Untrusted

PString2 <unknown@0xe3370400>

PInt3 6

args(4) 8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b542420525 0ff1183c424c220009090909090909090

args(5) <unknown>

time 82.2 (seconds since boot)

type EVTU

EvSrcComp 9

EvDst 1

EvDstComp 7

EvCode MODULE_USED_BY_SYS_TABLE

EvPInt 1

EvPString <unknown@0xe3370400>

EvPInt2 31

EvPString2 8b542420 528b5424 20a14cc9 14e3528b

5424208b 08528b54 2420528b 54242052

8b542420 528b5424 20528b54 24205250

ff1183c4 24c22000 90909090 90909090

EvPInt3 -482933760

EvPString3 ConnectPort

FlattenedForm (t-1172875082 n-678166400 z--18000 sm-114 sc-13 dm-1 dc-7 cd-762 hp-2 p*(i-46 i-12 a-detected%20rootkit%20as%20Untrusted a-<unknown@0xe3370400> i-6 a- a-8b542420528b542420a14cc914e3528b5424208b08528b542420528b542420528b542420528b542420528b5424205 250ff1183c424c220009090909090909090 a-<unknown> r*(type-11 time-822 rev*(sc-9 dm-1 dc-7 cd-175 p*(i-1 a-<unknown@0xe3370400> i-31 d-lsfjGi1IurciHYuYumUulsfjGSicsTivKaIulsfjGi1IurcisTivKaIulsfjGifu*hXGetIWGaaKqcjKqcjKqc i--482933760 a-ConnectPort ) ) ) ) )

2 REPLIES
New Member

Re: Rootkit detected CSA 5.0

I see Cisco released BugID CSCsd04310 which basically lines up with what I'm seeing, at least that there is the potential for false positives. Is there a way I can be 100% sure? would the 5.1 CSA help at all?

Blue

Re: Rootkit detected CSA 5.0

5.1 probably won't make a difference. We have several ugly apps that give us similar messages.

AutoCAD and Powerbuilder 10 are the two ugliest I've seen with regards to unknown processes. I'm not sure how I'll deal with this one when we move to 5.X. I may need to create a DAC that ignores rootkits discovered after these apps fire off.

A pain...

Tom

136
Views
4
Helpful
2
Replies
CreatePlease login to create content