teres.vir at gmail
Aug 21, 2012, 3:25 AM
Anomaly Detected by OSSEC
For me, OSSEC is continuously triggering the following alert message when
it is doing its daily rootkit checks :
OSSEC HIDS Notification.
2012 Aug 19 04:33:47
Received From: (web-agent) 192.168.0.115->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event
Portion of the log(s):
Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'.
Hidden from stats, but showing up on readdir. Possible kernel level rootkit.
--END OF NOTIFICATION
The name of the tmp file changes in each alert. Is it a false positive?
Hoping that it is, any idea whats causing this file to be hidden from stats?
Thanks in advance,
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net