! #1/20 1201235576 0 0 100644 1100 ` __.SYMDEF SORTEDx'8@%c0NsoX`4 _ RqmHRHRzmXmcx#HR>`H`XXXmF@%T@%`$`B P mSonx#|x##_check_open_ports_connect_to_port_try_to_access_ports_check_rc_dev_read_dev_dir_read_dev_file_check_rc_files_check_rc_if_run_ifconfig_check_rc_pids_loop_all_pids_proc_chdir_proc_read_proc_stat_check_rc_ports_conn_port_run_netstat_test_ports_check_rc_readproc_read_proc_dir_read_proc_file_check_rc_sys_read_sys_dir_read_sys_file_check_rc_trojans_is_file_isfile_ondir_normalize_string_pt_matches_rk_check_file__rkcl_get_name__rkcl_get_pattern__rkcl_get_value__rkcl_getfp__rkcl_getrootdir__rkcl_is_name_rkcl_get_entry_Read_Rootcheck_Config_os_getch_os_string_rootcheck_init_notify_rk_run_rk_check_start_rk_daemon_is_process_is_registry_os_check_ads0 #1/28 1201235562 0 0 100644 8308 ` check_open_ports.o X__text__TEXTF__data__DATA__const__TEXT__cstring__TEXT@__picsymbolstub2__TEXT 0__la_sym_ptr2__DATA  __nl_symbol_ptr__DATA__textcoal_nt__TEXT @$ L P{{ USDE}u1D$D$$zE}y@E}u.D$D$$CE}y EvD$D$E؉$EE $fEڍ$ED$E؉D$E$uEE$]EEԋEԃD[]ÐUWVSE}~U<ED$$8u&ED$ D$D$@E$$ED$ D$D$@E$D$ED$$G?6E$‹)ЃU<ED$$8u)ED$ D$D$@X$'ED$ D$D$@X$D$XD$$a?6X$*‹)Ѓ8~EĬ[^_]ÐUSD$D$$J[]ÐU(EfEE$ÐUEfEEfEEÐ  !"#$%&'*+,:;<=>?[\]^`{|}~127.0.0.1 %d (tcp),%d (tcp), %d (udp),%d (udp),⍀P⍀P⍀P⍀Po⍀oP~Z⍀ZPjeE⍀EPQL0⍀0P8 &?Xq$Ë$Å\,N,H>,(| rcI5'lXJ( |  h1| { { ~{ y sikie{ ` ZPRPL{ G A7973{ . ( {  {  Ydd<DD D D"D#>D%JD'PD(uD+~D,D-pD.D0D2D5D7D8$&1> JS`|#^}%\x' $D<D?DA&DEVDGcDKDMDNDPDRDV3DX@D\iD_D`DbDeDgD?Dk$<=CEVFGTXY3Z[\$ Dr Ds,DtLDuZDh]$r v$PwDpD}D$p$ D'D(D)D*$'&&2$ 3 P& &/<  T( q? (Q g   K d? *Q.5>Ijw_@$Q_connect_to_port___i686.get_pc_thunk.bx_try_to_access_ports_check_open_ports___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp__ports_open_open_ports_size_open_ports_str___i686.get_pc_thunk.axdyld_stub_binding_helper_strlen_strncat_snprintf_close_connect_inet_addr_memset_socket/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_open_ports.cgcc2_compiled._hostname_map_NXSwapHostShortToBigconnect_to_port:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)proto:p(0,1)port:p(0,1)rc:(0,1)ossock:(0,1)server:(0,2)=xssockaddr_in:sockaddr_in:T(0,2)=s16sin_len:(0,3)=(0,4)=@s8;r(0,4);0;255;,0,8;sin_family:(0,5)=(0,3),8,8;sin_port:(0,6)=(0,7)=(0,8)=@s16;r(0,8);0;65535;,16,16;sin_addr:(0,9)=xsin_addr:,32,32;sin_zero:(0,10)=ar(0,11)=r(0,11);0000000000000;0037777777777;;0;7;(0,12)=r(0,12);0;127;,64,64;;__uint8_t:t(0,3)unsigned char:t(0,4)sa_family_t:t(0,5)in_port_t:t(0,6)__uint16_t:t(0,7)short unsigned int:t(0,8)in_addr:T(0,9)=s4s_addr:(0,13)=(0,14)=(0,15)=r(0,15);0000000000000;0037777777777;,0,32;;long unsigned int:t(0,16)=r(0,16);0000000000000;0037777777777;char:t(0,12)in_addr_t:t(0,13)__uint32_t:t(0,14)unsigned int:t(0,15)try_to_access_ports:F(0,17)=(0,17)void:t(0,17)i:(0,1)port_proto:(0,18)=ar(0,11);0;63;(0,12)port_proto:(0,18)check_open_ports:F(0,17)/usr/include/architecture/byte_order.h__OSSwapInt16NXSwapHostShortToBig:f(0,8)x:p(0,1)/usr/include/libkern/i386/OSByteOrder.h_OSSwapInt16:f(0,19)=(0,8)uint16_t:t(0,19)data:p(0,1)__local_name:G(0,20)=*(0,12)hostname_map:S(0,21)=ar(0,11);0;255;(0,22)=k(0,4)rootcheck:G(0,23)=(0,24)=xs_rkconfig:rkconfig:t(0,23)_rkconfig:T(0,24)=s60workdir:(0,20),0,32;basedir:(0,20),32,32;rootkit_files:(0,20),64,32;rootkit_trojans:(0,20),96,32;winaudit:(0,20),128,32;winmalware:(0,20),160,32;winapps:(0,20),192,32;fp:(0,25)=*(0,26)=(0,27)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,26)__sFILE:T(0,27)=s88_p:(0,28)=*(0,4),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,29)=@s16;r(0,29);-32768;32767;,96,16;_file:(0,29),112,16;_bf:(0,30)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,31)=*(0,17),224,32;_close:(0,32)=*(0,33)=f(0,1),256,32;_read:(0,34)=*(0,35)=f(0,1),288,32;_seek:(0,36)=*(0,37)=f(0,38)=(0,39)=(0,40)=(0,41)=@s64;r(0,41);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,42)=*(0,43)=f(0,1),352,32;_ub:(0,30),384,64;_extra:(0,44)=*(0,45)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,46)=ar(0,11);0;2;(0,4),512,24;_nbuf:(0,47)=ar(0,11);0;0;(0,4),536,8;_lb:(0,30),544,64;_blksize:(0,1),608,32;_offset:(0,38),640,64;;short int:t(0,29)__sbuf:T(0,30)=s8_base:(0,28),0,32;_size:(0,1),32,32;;fpos_t:t(0,38)__darwin_off_t:t(0,39)__int64_t:t(0,40)long long int:t(0,41)rk_sys_file:G(0,48)=*(0,20)rk_sys_name:G(0,48)rk_sys_count:G(0,1)total_ports_udp:G(0,49)=ar(0,11);0;65535;(0,12)total_ports_tcp:G(0,49)_ports_open:G(0,1)open_ports_size:G(0,1)open_ports_str:G(0,50)=ar(0,11);0;1024;(0,12) #1/20 1201235565 0 0 100644 10420 ` check_rc_dev.o X__text__TEXT O__data__DATA__const__TEXT__cstring__TEXT}__picsymbolstub2__TEXT]9 B__la_sym_ptr2__DATAp,L   __nl_symbol_ptr__DATAx __textcoal_nt__TEXT @ PhUSED$E$6yDžE%=@uE$bE%=uHED$ D$D$$D$$hDžĔ[]US):EBEQE`EčhEȍrE̍EЍEԍE؍EEEEE}tE$=w'D$$WDžbE$$E}uDž?E$E}uD$E$tˍD$E$u뭍EE|u'ED$ED$OuE͋E|tYEED$ED$ D$D$$EE|u'D$ED$uE͍$&E$DžĔ[]ÐUS4D$$ED$ D$D$$$L8uDD$ D$D$$nD$$?4[]Ð  !"#$%&'*+,:;<=>?[\]^`{|}~File '%s' present on /dev. Possible hidden file.MAKEDEVREADME.MAKEDEVMAKEDEV.README.udevdb.udev.tdb.initramfs-toolsMAKEDEV.local.udev.initramfsfd/dev/shm/sysconfig/dev/bus/usb/.usbfsossec-rootcheck%s: Invalid directory given....%s/%s%s: DEBUG: Starting on check_rc_dev%s/devNo problem detected on the /dev directory. Analyzed %d files⍀P⍀Pql⍀PXS⍀P?:⍀P&!⍀P ⍀P{⍀{Pf⍀fPQ⍀QP<⍀<Pj2Kd$Ë$ ~xjPC;1# t< wm^C:|*y!nhZI?7( pK  \\ CC **   ~ y ske ` Z|R|L G Ax9x3 . (t{ t{  pbpb ($  Idd<DDD%D 4D&DD)WD-gD/D1D4D5$+7M+a8bN&_lg'p%4rBeYq(h"`<mNaip+g$D;D@DEDX8D\QD^kD_DcDdDfDiDnDpDr DuDw'DxDDuFD{ND|XD~]DaDDDDDDDD $;:-<5>Y Re { @ # E X- . kR S T U $<DDD/DGDnD|DDDV $r       $ &  &0  ATP k      d6(DB- w]jR@8%_read_dev_file___i686.get_pc_thunk.bx_read_dev_dir_check_rc_dev___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp__dev_errors__dev_total___i686.get_pc_thunk.axdyld_stub_binding_helper_debug1_closedir_strcmp_readdir_opendir_merror_strlen_notify_rk_snprintf_lstat/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_dev.cgcc2_compiled._hostname_mapread_dev_file:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)file_name:p(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)statbuf:(0,4)=xsstat:stat:T(0,4)=s96st_dev:(0,5)=(0,6)=(0,7)=(0,1),0,32;st_ino:(0,8)=(0,9)=(0,10)=(0,11)=r(0,11);0000000000000;0037777777777;,32,32;st_mode:(0,12)=(0,13)=(0,14)=(0,15)=@s16;r(0,15);0;65535;,64,16;st_nlink:(0,16)=(0,14),80,16;st_uid:(0,17)=(0,18)=(0,10),96,32;st_gid:(0,19)=(0,20)=(0,10),128,32;st_rdev:(0,5),160,32;st_atimespec:(0,21)=xstimespec:,192,64;st_mtimespec:(0,21),256,64;st_ctimespec:(0,21),320,64;st_size:(0,22)=(0,23)=(0,24)=(0,25)=@s64;r(0,25);01000000000000000000000;0777777777777777777777;,384,64;st_blocks:(0,26)=(0,27)=(0,24),448,64;st_blksize:(0,28)=(0,29)=(0,7),512,32;st_flags:(0,10),544,32;st_gen:(0,10),576,32;st_lspare:(0,7),608,32;st_qspare:(0,30)=ar(0,31)=r(0,31);0000000000000;0037777777777;;0;1;(0,24),640,128;;dev_t:t(0,5)__darwin_dev_t:t(0,6)__int32_t:t(0,7)ino_t:t(0,8)__darwin_ino_t:t(0,9)__uint32_t:t(0,10)unsigned int:t(0,11)mode_t:t(0,12)__darwin_mode_t:t(0,13)__uint16_t:t(0,14)short unsigned int:t(0,15)nlink_t:t(0,16)uid_t:t(0,17)__darwin_uid_t:t(0,18)gid_t:t(0,19)__darwin_gid_t:t(0,20)timespec:T(0,21)=s8tv_sec:(0,32)=(0,33)=(0,34)=r(0,34);-2147483648;2147483647;,0,32;tv_nsec:(0,34),32,32;;off_t:t(0,22)__darwin_off_t:t(0,23)__int64_t:t(0,24)long long int:t(0,25)blkcnt_t:t(0,26)__darwin_blkcnt_t:t(0,27)blksize_t:t(0,28)__darwin_blksize_t:t(0,29)long unsigned int:t(0,35)=r(0,35);0000000000000;0037777777777;time_t:t(0,32)__darwin_time_t:t(0,33)long int:t(0,34)op_msg:(0,36)=ar(0,31);0;1024;(0,3)read_dev_dir:F(0,1)dir_name:p(0,2)i:(0,1)dp:(0,37)=*(0,38)=(0,39)=s80dd_fd:(0,1),0,32;dd_loc:(0,34),32,32;dd_size:(0,34),64,32;dd_buf:(0,2),96,32;dd_len:(0,1),128,32;dd_seek:(0,34),160,32;dd_rewind:(0,34),192,32;dd_flags:(0,1),224,32;dd_lock:(0,40)=(0,41)=xs_opaque_pthread_mutex_t:,256,352;dd_td:(0,42)=*(0,43)=xs_telldir:,608,32;;DIR:t(0,38)__darwin_pthread_mutex_t:t(0,40)_opaque_pthread_mutex_t:T(0,41)=s44__sig:(0,34),0,32;__opaque:(0,44)=ar(0,31);0;39;(0,3),32,320;;entry:(0,45)=*(0,46)=xsdirent:dirent:T(0,46)=s264d_ino:(0,8),0,32;d_reclen:(0,14),32,16;d_type:(0,47)=(0,48)=@s8;r(0,48);0;255;,48,8;d_namlen:(0,47),56,8;d_name:(0,49)=ar(0,31);0;255;(0,3),64,2048;;__uint8_t:t(0,47)unsigned char:t(0,48)ignore_dev:(0,50)=ar(0,31);0;10;(0,2)ignore_dev_full_path:(0,51)=ar(0,31);0;2;(0,2)f_name:(0,52)=ar(0,31);0;1025;(0,3)check_rc_dev:F(0,53)=(0,53)void:t(0,53)basedir:p(0,2)file_path:(0,36)op_msg:(0,36)__local_name:G(0,2)hostname_map:S(0,54)=ar(0,31);0;255;(0,55)=k(0,48)rootcheck:G(0,56)=(0,57)=xs_rkconfig:rkconfig:t(0,56)_rkconfig:T(0,57)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,58)=*(0,59)=(0,60)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,59)__sFILE:T(0,60)=s88_p:(0,61)=*(0,48),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,62)=@s16;r(0,62);-32768;32767;,96,16;_file:(0,62),112,16;_bf:(0,63)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,64)=*(0,53),224,32;_close:(0,65)=*(0,66)=f(0,1),256,32;_read:(0,67)=*(0,68)=f(0,1),288,32;_seek:(0,69)=*(0,70)=f(0,71)=(0,23),320,32;_write:(0,72)=*(0,73)=f(0,1),352,32;_ub:(0,63),384,64;_extra:(0,74)=*(0,75)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,76)=ar(0,31);0;2;(0,48),512,24;_nbuf:(0,77)=ar(0,31);0;0;(0,48),536,8;_lb:(0,63),544,64;_blksize:(0,1),608,32;_offset:(0,71),640,64;;short int:t(0,62)__sbuf:T(0,63)=s8_base:(0,61),0,32;_size:(0,1),32,32;;fpos_t:t(0,71)rk_sys_file:G(0,78)=*(0,2)rk_sys_name:G(0,78)rk_sys_count:G(0,1)total_ports_udp:G(0,79)=ar(0,31);0;65535;(0,3)total_ports_tcp:G(0,79)_dev_errors:G(0,1)_dev_total:G(0,1) #1/20 1201235566 0 0 100644 8524 ` check_rc_files.o XX X __text__TEXT4 Y__data__DATA__const__TEXT__cstring__TEXT\ __picsymbolstub2__TEXT< 6__la_sym_ptr2__DATA $   __nl_symbol_ptr__DATAD __textcoal_nt__TEXTP , @HP PUSt DžDžD$$E D$D$$uD$ $[t 8u38 t 8 t Ћ8#u`8uP8u78 t 8 t 뼋8u8ui8!u88 t 8 tǍ&8 t8 txD$:$t&8:u D$ $t D$ $ut 8*J= 8~%D$D$1$y8/u $= Ѝ9 $= Ѝ5 = Ѝ5 <t'= Ѝ9 <D$q$= Ѝ9 <t(= Ѝ9 $= Ѝ5 <t(= Ѝ5 $P= Ѝ9 = Ѝ5 = = Ѝ9 = Ѝ5 dD$ED$ D$D$$f$?DžD$D$ D$D$$D$$u@D$ D$D$$D$$|t []Ð  !"#$%&'*+,:;<=>?[\]^`{|}~ossec-rootcheck%s: DEBUG: Starting on check_rc_files%s(1250): Maximum number of global files reached: %d%s(1102): Memory error. Exiting.%s/%sRootkit '%s' detected by the presence of file '%s'.No presence of public rootkits detected. Analyzed %d files.⍀P⍀P⍀Pyt⍀P`[⍀PGBs⍀sP.)^⍀^PI⍀IP4⍀4PIb{ $Ë$ünX>D L H L L pD ]L LH 9L 3$D L D L H L H L wH dL TD AL 4D !L H L @L Y+sT7/% = = 9 9  5 5  1 1 ~ y s- k- e ` Z) R) L G A% s9% s3 . (! Z ! Z   A A  dYdj<yDDD D##D%;D*aD+}D-D1D4D6D8D9D;D<DADBDEDFDJDLDO(DP1DQ:DU<DYGDZRD^XD`eDbpDcyDeDfDhDkDmDnDxDyD{D}D~DDD5D>DGDcDlDuD~DDDDDDDD?DDDDDD7D[DDDDDDDD(D\DrDwDDD$   &\Tkq( &1<J WX'cadrsrtwu$ & &X s    dP T )\BO7@{j_check_rc_files___i686.get_pc_thunk.bx___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_notify_rk_is_file_snprintf_free_strdup_merror_strchr_fgets_debug1/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_files.cgcc2_compiled._hostname_mapcheck_rc_files:F(0,1)=(0,1)void:t(0,1)basedir:p(0,2)=*(0,3)=r(0,3);0;127;fp:p(0,4)=*(0,5)=(0,6)=xs__sFILE:char:t(0,3)FILE:t(0,5)__sFILE:T(0,6)=s88_p:(0,7)=*(0,8)=@s8;r(0,8);0;255;,0,32;_r:(0,9)=r(0,9);-2147483648;2147483647;,32,32;_w:(0,9),64,32;_flags:(0,10)=@s16;r(0,10);-32768;32767;,96,16;_file:(0,10),112,16;_bf:(0,11)=xs__sbuf:,128,64;_lbfsize:(0,9),192,32;_cookie:(0,12)=*(0,1),224,32;_close:(0,13)=*(0,14)=f(0,9),256,32;_read:(0,15)=*(0,16)=f(0,9),288,32;_seek:(0,17)=*(0,18)=f(0,19)=(0,20)=(0,21)=(0,22)=@s64;r(0,22);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,23)=*(0,24)=f(0,9),352,32;_ub:(0,11),384,64;_extra:(0,25)=*(0,26)=xs__sFILEX:,448,32;_ur:(0,9),480,32;_ubuf:(0,27)=ar(0,28)=r(0,28);0000000000000;0037777777777;;0;2;(0,8),512,24;_nbuf:(0,29)=ar(0,28);0;0;(0,8),536,8;_lb:(0,11),544,64;_blksize:(0,9),608,32;_offset:(0,19),640,64;;unsigned char:t(0,8)int:t(0,9)short int:t(0,10)__sbuf:T(0,11)=s8_base:(0,7),0,32;_size:(0,9),32,32;;fpos_t:t(0,19)__darwin_off_t:t(0,20)__int64_t:t(0,21)long long int:t(0,22)long unsigned int:t(0,30)=r(0,30);0000000000000;0037777777777;buf:(0,31)=ar(0,28);0;1024;(0,3)file_path:(0,31)file:(0,2)name:(0,2)link:(0,2)_errors:(0,9)_total:(0,9)nbuf:(0,2)op_msg:(0,31)op_msg:(0,31)__local_name:G(0,2)hostname_map:S(0,32)=ar(0,28);0;255;(0,33)=k(0,8)rootcheck:G(0,34)=(0,35)=xs_rkconfig:rkconfig:t(0,34)_rkconfig:T(0,35)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,4),224,32;daemon:(0,9),256,32;notify:(0,9),288,32;scanall:(0,9),320,32;readall:(0,9),352,32;disabled:(0,9),384,32;time:(0,9),416,32;queue:(0,9),448,32;;rk_sys_file:G(0,36)=*(0,2)rk_sys_name:G(0,36)rk_sys_count:G(0,9)total_ports_udp:G(0,37)=ar(0,28);0;65535;(0,3)total_ports_tcp:G(0,37) #1/20 1201235568 0 0 100644 7268 ` check_rc_if.o8 T__text__TEXTT$__data__DATA4__cstring__TEXT4__picsymbolstub2__TEXT} 6__la_sym_ptr2__DATA^$  __textcoal_nt__TEXT @@ s P__c US4ED$ D$D$$$u Dž Dž4[]ÐUSdEED$D$$jE}yD$$0D$D$$DžD$D$$iE$y(E$D$$;r D$D$$D$D$i E$uE%$tBD$ !D$D$$+D$$M@D$ aD$D$$D$$ E E$}u=ED$ D$D$$D$$d[]Ðifconfig %s | grep PROMISC > /dev/null 2>&1ossec-rootcheck%s: Error checking interfaces (socket)%s: Error checking interfaces (ioctl)Interface '%s' in promiscuous mode.Interface '%s' in promiscuous mode, but ifconfig is not showing it(probably trojaned).No problem detected on ifconfig/ifs. Analyzed %d interfaces.~⍀Pje⍀PQL⍀P83⍀P⍀Ps⍀sP^⍀^PI⍀IP4⍀4P 9R$Ë$@nX>,C;`1 +  {` @2 ` r ~J~J_ r z1z1_ r vv_ r rr~_ yr snkne_ `r ZjRjL_ Gr Af9f3_ .r (b b_ r ^^_  gncdefmolgncdefmoldWde<D,D/D16D2HD4TD5^t$,+-%bc^d$pD<pD=DEDFDHDIDMDNDODQDS$DT/DUGDXLDY^D\jD^}DaDcDfDiDlDnDpDt2Dw\DyrD\xD|D~DDDe$<p~===>i]j#|^@,A7BECPQk^_~`mnop$pq &$ T q ( " = Q e d'pY?L4@xg_run_ifconfig___i686.get_pc_thunk.bx_check_rc_if_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_notify_rk_strncpy_close_ioctl_memset_merror_socket_system_snprintf/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_if.cgcc2_compiled.run_ifconfig:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)ifconfig:p(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)nt:(0,4)=ar(0,5)=r(0,5);0000000000000;0037777777777;;0;1024;(0,3)long unsigned int:t(0,6)=r(0,6);0000000000000;0037777777777;check_rc_if:F(0,7)=(0,7)void:t(0,7)_fd:(0,1)_errors:(0,1)_total:(0,1)tmp_str:(0,8)=ar(0,5);0;15;(0,9)=xsifreq:ifreq:T(0,9)=s32ifr_name:(0,10)=ar(0,5);0;15;(0,3),0,128;ifr_ifru:(0,11)=u16ifru_addr:(0,12)=xssockaddr:,0,128;ifru_dstaddr:(0,12),0,128;ifru_broadaddr:(0,12),0,128;ifru_flags:(0,13)=@s16;r(0,13);-32768;32767;,0,16;ifru_metric:(0,1),0,32;ifru_mtu:(0,1),0,32;ifru_phys:(0,1),0,32;ifru_media:(0,1),0,32;ifru_intval:(0,1),0,32;ifru_data:(0,14)=(0,2),0,32;ifru_devmtu:(0,15)=xsifdevmtu:,0,96;;,128,128;;sockaddr:T(0,12)=s16sa_len:(0,16)=(0,17)=@s8;r(0,17);0;255;,0,8;sa_family:(0,18)=(0,16),8,8;sa_data:(0,19)=ar(0,5);0;13;(0,3),16,112;;short int:t(0,13)caddr_t:t(0,14)ifdevmtu:T(0,15)=s12ifdm_current:(0,1),0,32;ifdm_min:(0,1),32,32;ifdm_max:(0,1),64,32;;__uint8_t:t(0,16)unsigned char:t(0,17)sa_family_t:t(0,18)_if:(0,20)=xsifconf:ifconf:T(0,20)=s8ifc_len:(0,1),0,32;ifc_ifcu:(0,21)=u4ifcu_buf:(0,14),0,32;ifcu_req:(0,22)=*(0,9),0,32;;,32,32;;_ir:(0,22)_ifend:(0,22)_ifr:(0,9)op_msg:(0,4)op_msg:(0,4)rootcheck:G(0,23)=(0,24)=xs_rkconfig:rkconfig:t(0,23)_rkconfig:T(0,24)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,25)=*(0,26)=(0,27)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,26)__sFILE:T(0,27)=s88_p:(0,28)=*(0,17),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,13),96,16;_file:(0,13),112,16;_bf:(0,29)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,30)=*(0,7),224,32;_close:(0,31)=*(0,32)=f(0,1),256,32;_read:(0,33)=*(0,34)=f(0,1),288,32;_seek:(0,35)=*(0,36)=f(0,37)=(0,38)=(0,39)=(0,40)=@s64;r(0,40);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,41)=*(0,42)=f(0,1),352,32;_ub:(0,29),384,64;_extra:(0,43)=*(0,44)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,45)=ar(0,5);0;2;(0,17),512,24;_nbuf:(0,46)=ar(0,5);0;0;(0,17),536,8;_lb:(0,29),544,64;_blksize:(0,1),608,32;_offset:(0,37),640,64;;__sbuf:T(0,29)=s8_base:(0,28),0,32;_size:(0,1),32,32;;fpos_t:t(0,37)__darwin_off_t:t(0,38)__int64_t:t(0,39)long long int:t(0,40)rk_sys_file:G(0,47)=*(0,2)rk_sys_name:G(0,47)rk_sys_count:G(0,1)total_ports_udp:G(0,48)=ar(0,5);0;65535;(0,3)total_ports_tcp:G(0,48)#1/20 1201235563 0 0 100644 12380 ` check_rc_pids.o X__text__TEXTh__data__DATA __const__TEXT __cstring__TEXT ] __picsymbolstub2__TEXT= 8`__la_sym_ptr2__DATA @8__nl_symbol_ptr__DATA __textcoal_nt__TEXT @< $ P!US48t DžYED$ D$D$$e D$$4 t Dž Dž4[]USTaEq 8tDžD$$ u DžvD $s u DžWED$ J D$D$$ $- uE$ ET[]ÐUSD 8t DžYED$dD$ sD$D$$ $y t Dž DžD[]US EEEEEEEEEEE Eȃ}E;E EEEEEEEEEEED$Ẻ$E u " 8uEẺ$ u 8uEẺ$ u 8uEẺ$.E؋Ẻ$EԋẺ$2EЃ}u#}u}u}u}u }uE;EuE8~;D$D$$ D$$]E8tNẺD$ED$ VD$D$$ E$|uE$L}t#}t}t}t}t }tẺ$|u 8uED$Ẻ$u `8uEẺ$u =8uEẺ$E؋Ẻ$EԋẺ$EЃ}u#}u}u}u}u }uE;EE;Eu{E;Ets}u}u}u }uED$ED$ẺD$ qD$D$$D$$ EtE;EuE;Eu E;Eus}u}u}u }u=ED$ED$ẺD$ D$D$$D$$EE;EuE;Eu E;Eui 8Ẻ$ẺD$ 1 D$D$$ D$$Ed}t^}tX}uRẺ$uCẺD$ q D$D$$D$$EẼ-Ą []UStEEBfsPDžD$D$$D${D$$Z$_u9D$D$$($-uƅ$t $tED$ ED$D$$z}uGED$D$ D$D$$D$$t[]  !"#$%&'*+,:;<=>?[\]^`{|}~%d/proc/proc/%d%s/%dExcessive number of hidden processes. It maybe a false-positive or something really bad is going on.%s -p %d > /dev/null 2>&1Process '%d' hidden from kill (%d) or getsid (%d). Possible kernel-level rootkit.Process '%d' hidden from kill (%d), getsid (%d) or getpgid. Possible kernel-level rootkit.Process '%d' hidden from /proc. Possible kernel level rootkit.Process '%d' hidden from ps. Possible trojaned version installed./proc/1/bin/ps/usr/bin/psNo hidden process by Kernel-level rootkits. %s is not trojaned. Analyzed %d processes.⍀Pv⍀vPa⍀aPxsL⍀LP_Z7⍀7PFA"⍀"P-( ⍀ P⍀P⍀P⍀P⍀P⍀P⍀P~yz⍀zPe`e⍀ePLGP⍀PP3J c |  + D ] v $Ë$ OTOJ8 O OOx O_ OK "  @ wa6  y vl8! e  ZL>%]    { Q8*   cQ K1      ~  x s  m e _ Z  T L F A  ; n 3 n - (  " U  U     <  <  # #     ~ y  s k e `  Z R L G  A t 9 t 3 .  ( [ [     B  B  <840,($  dd<DDDD(DOD!kD#wD$ $9DO$D+D,D0D1D3D5D8D9D;D<.D>@DBGDDUDE^$+* ,-".,-^.$DLpDODPDRDTDVDYDZ/$Lp@KKMZ[\$DaDbDcDdDe$Df+Dg2Dh9Di@DjGDkNDmUDr\DvdDyzD{D|D}D~DDDDDDDDDD DD0D7DEDSDaDDDDDDDDDDDD)D0D<D`DeDDDDDDDDDD$D)DEDbD D DDDD$D:DED#_D&D(D)D,D/D2D6D7&Dt,D;7]$ax`` ``r&bc,d9eFfSg`hki|jkmnpb@%1  /@$@DB@DCODDVDH]DIvDKDMDPDQDRDTDUDV'D[.D]RD``DbDeDhDl$B@%C2D@FIHiIKOd$ & >&O_ q T q (  % 9 g   d J@;$0pDYdk3S<[sM(rg@ _proc_read___i686.get_pc_thunk.bx_proc_chdir_proc_stat_loop_all_pids_check_rc_pids___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp_noproc___i686.get_pc_thunk.axdyld_stub_binding_helper_strncpy_memset_check_rc_readproc_sleep_system_notify_rk_getpgid_getsid___error_kill_getpid_is_file_chdir_getcwd_isfile_ondir_snprintf/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_pids.cgcc2_compiled._hostname_mapproc_read:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)pid:p(0,1)dir:(0,2)=ar(0,3)=r(0,3);0000000000000;0037777777777;;0;1024;(0,4)=r(0,4);0;127;long unsigned int:t(0,5)=r(0,5);0000000000000;0037777777777;char:t(0,4)proc_chdir:F(0,1)pid:p(0,1)ret:(0,1)curr_dir:(0,2)dir:(0,2)proc_stat:F(0,1)pid:p(0,1)proc_dir:(0,2)loop_all_pids:F(0,6)=(0,6)void:t(0,6)ps:p(0,7)=*(0,4)max_pid:p(0,8)=(0,9)=(0,10)=(0,1)_errors:p(0,11)=*(0,1)_total:p(0,11)pid_t:t(0,8)__darwin_pid_t:t(0,9)__int32_t:t(0,10)_kill0:(0,1)_kill1:(0,1)_gsid0:(0,1)_gsid1:(0,1)_gpid0:(0,1)_gpid1:(0,1)_ps0:(0,1)_proc_stat:(0,1)_proc_read:(0,1)_proc_chdir:(0,1)i:(0,8)my_pid:(0,8)command:(0,2)op_msg:(0,2)op_msg:(0,2)op_msg:(0,2)op_msg:(0,2)op_msg:(0,2)check_rc_pids:F(0,6)_total:(0,1)_errors:(0,1)ps:(0,2)proc_0:(0,12)=ar(0,3);0;5;(0,4)proc_1:(0,13)=ar(0,3);0;7;(0,4)max_pid:(0,8)op_msg:(0,2)__local_name:G(0,7)hostname_map:S(0,14)=ar(0,3);0;255;(0,15)=k(0,16)=@s8;r(0,16);0;255;unsigned char:t(0,16)rootcheck:G(0,17)=(0,18)=xs_rkconfig:rkconfig:t(0,17)_rkconfig:T(0,18)=s60workdir:(0,7),0,32;basedir:(0,7),32,32;rootkit_files:(0,7),64,32;rootkit_trojans:(0,7),96,32;winaudit:(0,7),128,32;winmalware:(0,7),160,32;winapps:(0,7),192,32;fp:(0,19)=*(0,20)=(0,21)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,20)__sFILE:T(0,21)=s88_p:(0,22)=*(0,16),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,23)=@s16;r(0,23);-32768;32767;,96,16;_file:(0,23),112,16;_bf:(0,24)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,25)=*(0,6),224,32;_close:(0,26)=*(0,27)=f(0,1),256,32;_read:(0,28)=*(0,29)=f(0,1),288,32;_seek:(0,30)=*(0,31)=f(0,32)=(0,33)=(0,34)=(0,35)=@s64;r(0,35);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,36)=*(0,37)=f(0,1),352,32;_ub:(0,24),384,64;_extra:(0,38)=*(0,39)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,40)=ar(0,3);0;2;(0,16),512,24;_nbuf:(0,41)=ar(0,3);0;0;(0,16),536,8;_lb:(0,24),544,64;_blksize:(0,1),608,32;_offset:(0,32),640,64;;short int:t(0,23)__sbuf:T(0,24)=s8_base:(0,22),0,32;_size:(0,1),32,32;;fpos_t:t(0,32)__darwin_off_t:t(0,33)__int64_t:t(0,34)long long int:t(0,35)rk_sys_file:G(0,42)=*(0,7)rk_sys_name:G(0,42)rk_sys_count:G(0,1)total_ports_udp:G(0,43)=ar(0,3);0;65535;(0,4)total_ports_tcp:G(0,43)noproc:G(0,1) #1/20 1201235565 0 0 100644 9780 ` check_rc_ports.o X__text__TEXT @__data__DATA__const__TEXT__cstring__TEXT__picsymbolstub2__TEXT 6__la_sym_ptr2__DATA$   __nl_symbol_ptr__DATA __textcoal_nt__TEXT @T PUSD}u3E D$D$ D$D$$a]}u3E D$.D$ D$D$$($2D$Q$Dž($u Dž DžD[]USDE}u1D$D$$KE}yCE}u1D$D$$E}y ED$D$E؉$EE $fE$ED$E؉D$E$uyE}uM UM UE$EEԋEԃD[]ÐUSTE}~YEED$E$ED$E$t$ED$E${ED$E$=tmE }u& D$ED$ D$D$$D$$E 8~b}u& D$ D$D$$ED$$g ET[]ÐUS4aEEE}~&IUEUEύED$ED$$ ED$ED$$}u=ED$ D$D$$aD$$4[]ÐU(EfEE$ÐUE$#ÐUEfEEfEEÐUEȉEEÐ  !"#$%&'*+,:;<=>?[\]^`{|}~tcpnetstat -an | grep "^%s" | grep "[^0-9]%d " > /dev/null 2>&1udpossec-rootcheck%s: Netstat error (wrong protocol)Port '%d'(%s) hidden. Kernel-level rootkit or trojaned version of netstat.Excessive number of '%s' ports hidden. It maybe a false-positive or something really bad is going on.No kernel-level rootkit hiding any port. Netstat is acting correctly. Analyzed %d ports.⍀P⍀P⍀P⍀P⍀Ps⍀sP^⍀^PrmI⍀IPYT4⍀4P@7Pi$Ë$Õ}XB( t^D. = =oZ@ tD  `A{aW=B(   zz aa~ y sHkHe ` Z/R/L G A93 . (     *d{d<D+D.D/D0HD1ND4D5D8D9D;D<$+** ,O$D@DADEDGDHDJ&DL,DMQDQ]DRxDS|hDTDXDZD^D`DdDgDiDj$@?? ABC"#(^;}M%`{x'$,DnDqDs,Dt2DyLD{bDgDsDDDDDDbDxDqzD$n,9mFm ]mlotu}$DDDDDDDDDDDDDFD\$ee$DhDuD$h3<$ DD=DK$fo$pD'D(D)D*$'&$ D1D2D3D4$10 $  )&Z &  T q (' = Y m d=&1Mfs[@ _run_netstat___i686.get_pc_thunk.bx_conn_port_test_ports_check_rc_ports___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_notify_rk_sleep_close_bind_memset_socket_system_merror_snprintf/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_ports.cgcc2_compiled._hostname_maprun_netstat:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)proto:p(0,1)port:p(0,1)nt:(0,2)=ar(0,3)=r(0,3);0000000000000;0037777777777;;0;1024;(0,4)=r(0,4);0;127;long unsigned int:t(0,5)=r(0,5);0000000000000;0037777777777;char:t(0,4)_NXSwapHostShortToBig_NXSwapHostLongToBigconn_port:F(0,1)proto:p(0,1)port:p(0,1)rc:(0,1)ossock:(0,1)server:(0,6)=xssockaddr_in:sockaddr_in:T(0,6)=s16sin_len:(0,7)=(0,8)=@s8;r(0,8);0;255;,0,8;sin_family:(0,9)=(0,7),8,8;sin_port:(0,10)=(0,11)=(0,12)=@s16;r(0,12);0;65535;,16,16;sin_addr:(0,13)=xsin_addr:,32,32;sin_zero:(0,14)=ar(0,3);0;7;(0,4),64,64;;__uint8_t:t(0,7)unsigned char:t(0,8)sa_family_t:t(0,9)in_port_t:t(0,10)__uint16_t:t(0,11)short unsigned int:t(0,12)in_addr:T(0,13)=s4s_addr:(0,15)=(0,16)=(0,17)=r(0,17);0000000000000;0037777777777;,0,32;;in_addr_t:t(0,15)__uint32_t:t(0,16)unsigned int:t(0,17)test_ports:F(0,18)=(0,18)void:t(0,18)proto:p(0,1)_errors:p(0,19)=*(0,1)_total:p(0,19)i:(0,1)op_msg:(0,2)op_msg:(0,2)check_rc_ports:F(0,18)_errors:(0,1)_total:(0,1)i:(0,1)op_msg:(0,2)/usr/include/architecture/byte_order.h__OSSwapInt16NXSwapHostShortToBig:f(0,12)x:p(0,1)__OSSwapInt32NXSwapHostLongToBig:f(0,5)x:p(0,5)/usr/include/libkern/i386/OSByteOrder.h_OSSwapInt16:f(0,20)=(0,12)uint16_t:t(0,20)data:p(0,1)_OSSwapInt32:f(0,21)=(0,17)uint32_t:t(0,21)data:p(0,21)__local_name:G(0,22)=*(0,4)hostname_map:S(0,23)=ar(0,3);0;255;(0,24)=k(0,8)rootcheck:G(0,25)=(0,26)=xs_rkconfig:rkconfig:t(0,25)_rkconfig:T(0,26)=s60workdir:(0,22),0,32;basedir:(0,22),32,32;rootkit_files:(0,22),64,32;rootkit_trojans:(0,22),96,32;winaudit:(0,22),128,32;winmalware:(0,22),160,32;winapps:(0,22),192,32;fp:(0,27)=*(0,28)=(0,29)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,28)__sFILE:T(0,29)=s88_p:(0,30)=*(0,8),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,31)=@s16;r(0,31);-32768;32767;,96,16;_file:(0,31),112,16;_bf:(0,32)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,33)=*(0,18),224,32;_close:(0,34)=*(0,35)=f(0,1),256,32;_read:(0,36)=*(0,37)=f(0,1),288,32;_seek:(0,38)=*(0,39)=f(0,40)=(0,41)=(0,42)=(0,43)=@s64;r(0,43);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,44)=*(0,45)=f(0,1),352,32;_ub:(0,32),384,64;_extra:(0,46)=*(0,47)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,48)=ar(0,3);0;2;(0,8),512,24;_nbuf:(0,49)=ar(0,3);0;0;(0,8),536,8;_lb:(0,32),544,64;_blksize:(0,1),608,32;_offset:(0,40),640,64;;short int:t(0,31)__sbuf:T(0,32)=s8_base:(0,30),0,32;_size:(0,1),32,32;;fpos_t:t(0,40)__darwin_off_t:t(0,41)__int64_t:t(0,42)long long int:t(0,43)rk_sys_file:G(0,50)=*(0,22)rk_sys_name:G(0,50)rk_sys_count:G(0,1)total_ports_udp:G(0,51)=ar(0,3);0;65535;(0,4)total_ports_tcp:G(0,51) #1/28 1201235567 0 0 100644 9852 ` check_rc_readproc.o XDD__text__TEXT 3__data__DATA__const__TEXT__cstring__TEXTO__picsymbolstub2__TEXT <__la_sym_ptr2__DATA (  __nl_symbol_ptr__DATA4 __textcoal_nt__TEXT< @@ ,0 P UED$E$y E5E%=@uED$E D$E$EEEÐUST}tE$:=w'MD$]$DžE$E}uDžE$E}uyD$E$Qtˍ{D$E$5u뭃}E8u*D$$u ɋ8tPED$ED$ ~D$D$$ED$E D$$(}uuD$E$_ED$ED$ ~D$D$$ ED$E D$$}u+E D$E$]E$DžT[]ÐUSDDxED$ @D$D$E؉$SE؉$t ENED$ JD$D$E؉$D$E؉D$M$xEԋEԃD[]ÐUSE}x(}MU D4!ЅtEE[]Ð  !"#$%&'*+,:;<=>?[\]^`{|}~ossec-rootcheck%s: Invalid directory given...%s/%stask/proc/.%d%d/proc⍀P⍀P⍀P⍀P⍀Pto⍀P[Vw⍀wPB=b⍀bP)$M⍀MP 8⍀8P5Ng$Ë$Ä8lh I4C; &4 }4soO0sssc!sssso M -- )) %% !! ~ y sxkxe ` Z_R_L G AF9F3 . ( - -     $  Qdd<DD D"D&(D(8D+VD,]$9 DT`vTaabw&g'p% (8F]rkeq($:hK`emwap  ] $dD2dD8sD:D;D?D@DBDEDJDL)DN+DR5DTADVN `DWkDXmD[xD\D_DaDdDfDhDi4DmXDp^Dr{D|D~D$2d,1<1 G1W3{ R { 5) # s G  P. 8/ 0 1 2 $LDDDDDDD*DGDT3 $L W { | T} $~ D`DlD $` @  $L &$ J &[ *<sT      /d< @8dK J:1(~dqY@ B_read_proc_file_read_proc_dir___i686.get_pc_thunk.bx_check_rc_readproc___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp_proc_pid_found___i686.get_pc_thunk.axdyld_stub_binding_helper__DefaultRuneLocale_is_file_closedir_snprintf_strcmp_readdir_opendir_merror_strlen_lstat/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_readproc.cgcc2_compiled._hostname_mapread_proc_file:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)file_name:p(0,2)=*(0,3)=r(0,3);0;127;pid:p(0,2)position:p(0,1)char:t(0,3)statbuf:(0,4)=xsstat:stat:T(0,4)=s96st_dev:(0,5)=(0,6)=(0,7)=(0,1),0,32;st_ino:(0,8)=(0,9)=(0,10)=(0,11)=r(0,11);0000000000000;0037777777777;,32,32;st_mode:(0,12)=(0,13)=(0,14)=(0,15)=@s16;r(0,15);0;65535;,64,16;st_nlink:(0,16)=(0,14),80,16;st_uid:(0,17)=(0,18)=(0,10),96,32;st_gid:(0,19)=(0,20)=(0,10),128,32;st_rdev:(0,5),160,32;st_atimespec:(0,21)=xstimespec:,192,64;st_mtimespec:(0,21),256,64;st_ctimespec:(0,21),320,64;st_size:(0,22)=(0,23)=(0,24)=(0,25)=@s64;r(0,25);01000000000000000000000;0777777777777777777777;,384,64;st_blocks:(0,26)=(0,27)=(0,24),448,64;st_blksize:(0,28)=(0,29)=(0,7),512,32;st_flags:(0,10),544,32;st_gen:(0,10),576,32;st_lspare:(0,7),608,32;st_qspare:(0,30)=ar(0,31)=r(0,31);0000000000000;0037777777777;;0;1;(0,24),640,128;;dev_t:t(0,5)__darwin_dev_t:t(0,6)__int32_t:t(0,7)ino_t:t(0,8)__darwin_ino_t:t(0,9)__uint32_t:t(0,10)unsigned int:t(0,11)mode_t:t(0,12)__darwin_mode_t:t(0,13)__uint16_t:t(0,14)short unsigned int:t(0,15)nlink_t:t(0,16)uid_t:t(0,17)__darwin_uid_t:t(0,18)gid_t:t(0,19)__darwin_gid_t:t(0,20)timespec:T(0,21)=s8tv_sec:(0,32)=(0,33)=(0,34)=r(0,34);-2147483648;2147483647;,0,32;tv_nsec:(0,34),32,32;;off_t:t(0,22)__darwin_off_t:t(0,23)__int64_t:t(0,24)long long int:t(0,25)blkcnt_t:t(0,26)__darwin_blkcnt_t:t(0,27)blksize_t:t(0,28)__darwin_blksize_t:t(0,29)long unsigned int:t(0,35)=r(0,35);0000000000000;0037777777777;time_t:t(0,32)__darwin_time_t:t(0,33)long int:t(0,34)___isctyperead_proc_dir:F(0,1)dir_name:p(0,2)pid:p(0,2)position:p(0,1)dp:(0,36)=*(0,37)=(0,38)=s80dd_fd:(0,1),0,32;dd_loc:(0,34),32,32;dd_size:(0,34),64,32;dd_buf:(0,2),96,32;dd_len:(0,1),128,32;dd_seek:(0,34),160,32;dd_rewind:(0,34),192,32;dd_flags:(0,1),224,32;dd_lock:(0,39)=(0,40)=xs_opaque_pthread_mutex_t:,256,352;dd_td:(0,41)=*(0,42)=xs_telldir:,608,32;;DIR:t(0,37)__darwin_pthread_mutex_t:t(0,39)_opaque_pthread_mutex_t:T(0,40)=s44__sig:(0,34),0,32;__opaque:(0,43)=ar(0,31);0;39;(0,3),32,320;;entry:(0,44)=*(0,45)=xsdirent:dirent:T(0,45)=s264d_ino:(0,8),0,32;d_reclen:(0,14),32,16;d_type:(0,46)=(0,47)=@s8;r(0,47);0;255;,48,8;d_namlen:(0,46),56,8;d_name:(0,48)=ar(0,31);0;255;(0,3),64,2048;;__uint8_t:t(0,46)unsigned char:t(0,47)f_name:(0,49)=ar(0,31);0;1025;(0,3)tmp_str:(0,2)check_rc_readproc:F(0,1)pid:p(0,1)char_pid:(0,50)=ar(0,31);0;31;(0,3)/usr/include/ctype.h__isctype:f(0,51)=(0,1)__darwin_ct_rune_t:t(0,51)_c:p(0,51)_f:p(0,35)__local_name:G(0,2)hostname_map:S(0,52)=ar(0,31);0;255;(0,53)=k(0,47)rootcheck:G(0,54)=(0,55)=xs_rkconfig:rkconfig:t(0,54)_rkconfig:T(0,55)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,56)=*(0,57)=(0,58)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,57)__sFILE:T(0,58)=s88_p:(0,59)=*(0,47),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,60)=@s16;r(0,60);-32768;32767;,96,16;_file:(0,60),112,16;_bf:(0,61)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,62)=*(0,63)=(0,63),224,32;_close:(0,64)=*(0,65)=f(0,1),256,32;_read:(0,66)=*(0,67)=f(0,1),288,32;_seek:(0,68)=*(0,69)=f(0,70)=(0,23),320,32;_write:(0,71)=*(0,72)=f(0,1),352,32;_ub:(0,61),384,64;_extra:(0,73)=*(0,74)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,75)=ar(0,31);0;2;(0,47),512,24;_nbuf:(0,76)=ar(0,31);0;0;(0,47),536,8;_lb:(0,61),544,64;_blksize:(0,1),608,32;_offset:(0,70),640,64;;short int:t(0,60)__sbuf:T(0,61)=s8_base:(0,59),0,32;_size:(0,1),32,32;;void:t(0,63)fpos_t:t(0,70)rk_sys_file:G(0,77)=*(0,2)rk_sys_name:G(0,77)rk_sys_count:G(0,1)total_ports_udp:G(0,78)=ar(0,31);0;65535;(0,3)total_ports_tcp:G(0,78)proc_pid_found:G(0,1) #1/20 1201235568 0 0 100644 18380 ` check_rc_sys.o X__text__TEXTl h)__data__DATAl H__const__TEXT \__cstring__TEXT\__picsymbolstub2__TEXT!x__la_sym_ptr2__DATA Pp%__nl_symbol_ptr__DATA\(8(__textcoal_nt__TEXT` @&/ 5 P  !&2US qED$E$yWED$ qD$D$$D$$SmDžE%=@uEED$$uDžE D$E$E%=M} CDž|D$D$E$V D$D$$ |뾋$|3M3E ȅD$E$>|3L3H ȅtbEȋỦ3L3H ȅuHED$ D$D$$D$$mEE%=E@t=i8t#ED$VD$i$m0e8t#ED$VD$e$R}u=ED$ qD$D$$D$$m=E%t0a8t#ED$VD$a$Dž []ÐUSd qEEE3 X8 \> `G dQ hV l[ pDžt}tE$=w'a D$q $Dž xD$E$yDž;xt$8tExE%=@tDžE􃼅Xu.E􋄅XD$E$u E EËE$E}uA D$E$u $E}tDžE$gE}u D$E$"t D$E$uE맋ED$ED$ D$D$H$D$H$uA%=@t(%=t%=tEEU;~UЍ<uED$UЍ$UЍD$ED$UЍD$ D$D$$ D$$ E D$H$X uE D$H$E9E}tUE9uD$E$E ;EtxED$ED$ED$ D$D$$ D$Q D$E$ t!D$$ E$P Džd []ÐUS D$q$  ED$ D$D$$ x$etnD$$d  D$$@  D$$  *   x(t" @,D$$DžSX^gqv   ) {. 9 B DžDž~ru`D$ED$ G D$D$$ @,D$$^냍 8uI D$ Q D$D$x$q xD$$B  8 8 8 $ud d $Qu` ` $!u\ 1 \dD$`D$\D$ q D$D$h$UhD$$& 8t6 $u$e $: 8t6 $Mu$" $ 8t6 $ u$ $ []  !"#$%&'*+,:;<=>?[\]^`{|}~Anomaly detected in file '%s'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit./dev/fdAnomaly detected in file '%s'. File size doesn't match what we found. Possible kernel level rootkit.%s File '%s' is owned by root and has written permissions to anyone./bin/sbin/usr/bin/usr/sbin/dev/etc/bootossec-rootcheck%s: Invalid directory given./...%s/%sRootkit '%s' detected by the presence of file '%s/%s'./procFiles hidden inside directory '%s'. Link count does not match number of files (%d,%d).%s: DEBUG: Starting on check_rc_sys%swrootcheck-rw-rw-rw-.txtrootcheck-rwxrwxrwx.txtrootcheck-suid-files.txt/lib/root/var/log/var/mail/var/lib/var/www/usr/lib/usr/include/tmp/usr/local/var/tmp/sys%s%sNo problem found on the system. Analyzed %d files. rootcheck-suid-files.txt (list of suid files) rootcheck-rwxrwxrwx.txt (list of world writtable/executable files) rootcheck-rw-rw-rw-.txt (list of world writable files) Check the following files for more information: %s%s%s⍀P⍀P⍀P⍀P⍀Plg⍀PSNq⍀qP:5\⍀\P!G⍀GP2⍀2P⍀P⍀P⍀P⍀P⍀Prm⍀PYT⍀P@;⍀P'"u⍀uP `⍀`P$=Vo7Pi$Ë$_ S poM E 9o; / po" po  to  !o  to to  xo  o  xo xo  f o< o. o$  xo @o o  to o o  po po to xoz d J o< o/ |o  \o  o o oz on ob oV oJ o> yo2 po& fo ]o Wo o Ro o o o o o  \o \or pod toV xoJ poB : 9o0 o& to  !o o xo oo\ooloo|o{oqok  @0|*iK9w(@`d|dddDh%"o [5-#llmlT0(  aUpKe7p|tet|xemx4|.~No|iS9(  . WW  . SS  . OO  . KK  . G~Gx  s. mCzeCz_  Z. T?aL?aF  A. ;;H3;H-  (. "7/7/  . 33  . //  . ++  . ''  . ##  . ~  y. ske  `. ZgRgL  G. AN9N3  .. (5 5  .     LHD@<840,($  -*" )! ('-*" )! ('&%$#dd< DDD(D,0D0WD1mD4xD8D?D@DCDIDNDPDS%DU2DWdDYtD[D_DdDhDi2Dr=Du`DwkDxxDzD~DDDDDD(D5DBDeDo$S^ ab&g'!p9%Lgwre,:qQ(cyh`map7HI+m0noKLMN|]c===o$DDDDDDDDD4DCD\DkD}DDDDDDDDDDD DDDDTDmDDDDD D5D;DVDrDwDD D$D,D)7D*SD,XD2rD:D=DJDLDM.DY9D[DD\N$   2 D h Rt {  # x X  HC W mX f g /h mi 6x 7  9 N $Dc`DfoDhDiDjDlDpDrDs Dt. DxT Dyb Dzp D~ D D D D D D D D D" D- D: Dh D D D D D D D D D D D D D- DC DQ Dc $c` b d o     -  x :  ~  h%  &  ' l ( $ ) = & p  & #oT    9 Q d v    dl 6`(Dk-%bRxIr@w]jR@~Z7_read_sys_file___i686.get_pc_thunk.bx_read_sys_dir_check_rc_sys___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp__sys_errors__sys_total_did__wx__ww__suid___i686.get_pc_thunk.axdyld_stub_binding_helper_fclose_unlink_ftell_fopen_debug1_closedir_strncmp_readdir_opendir_merror_strlen_fprintf_close_read_open_strcmp_notify_rk_snprintf_lstat/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_sys.cgcc2_compiled._hostname_mapread_sys_file:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)file_name:p(0,2)=*(0,3)=r(0,3);0;127;do_read:p(0,1)char:t(0,3)statbuf:(0,4)=xsstat:stat:T(0,4)=s96st_dev:(0,5)=(0,6)=(0,7)=(0,1),0,32;st_ino:(0,8)=(0,9)=(0,10)=(0,11)=r(0,11);0000000000000;0037777777777;,32,32;st_mode:(0,12)=(0,13)=(0,14)=(0,15)=@s16;r(0,15);0;65535;,64,16;st_nlink:(0,16)=(0,14),80,16;st_uid:(0,17)=(0,18)=(0,10),96,32;st_gid:(0,19)=(0,20)=(0,10),128,32;st_rdev:(0,5),160,32;st_atimespec:(0,21)=xstimespec:,192,64;st_mtimespec:(0,21),256,64;st_ctimespec:(0,21),320,64;st_size:(0,22)=(0,23)=(0,24)=(0,25)=@s64;r(0,25);01000000000000000000000;0777777777777777777777;,384,64;st_blocks:(0,26)=(0,27)=(0,24),448,64;st_blksize:(0,28)=(0,29)=(0,7),512,32;st_flags:(0,10),544,32;st_gen:(0,10),576,32;st_lspare:(0,7),608,32;st_qspare:(0,30)=ar(0,31)=r(0,31);0000000000000;0037777777777;;0;1;(0,24),640,128;;dev_t:t(0,5)__darwin_dev_t:t(0,6)__int32_t:t(0,7)ino_t:t(0,8)__darwin_ino_t:t(0,9)__uint32_t:t(0,10)unsigned int:t(0,11)mode_t:t(0,12)__darwin_mode_t:t(0,13)__uint16_t:t(0,14)short unsigned int:t(0,15)nlink_t:t(0,16)uid_t:t(0,17)__darwin_uid_t:t(0,18)gid_t:t(0,19)__darwin_gid_t:t(0,20)timespec:T(0,21)=s8tv_sec:(0,32)=(0,33)=(0,34)=r(0,34);-2147483648;2147483647;,0,32;tv_nsec:(0,34),32,32;;off_t:t(0,22)__darwin_off_t:t(0,23)__int64_t:t(0,24)long long int:t(0,25)blkcnt_t:t(0,26)__darwin_blkcnt_t:t(0,27)blksize_t:t(0,28)__darwin_blksize_t:t(0,29)long unsigned int:t(0,35)=r(0,35);0000000000000;0037777777777;time_t:t(0,32)__darwin_time_t:t(0,33)long int:t(0,34)op_msg:(0,36)=ar(0,31);0;1024;(0,3)buf:(0,37)=ar(0,31);0;1023;(0,3)fd:(0,1)nr:(0,1)total:(0,35)statbuf2:(0,4)op_msg:(0,36)op_msg:(0,36)read_sys_dir:F(0,1)dir_name:p(0,2)do_read:p(0,1)i:(0,1)entry_count:(0,11)did_changed:(0,1)dp:(0,38)=*(0,39)=(0,40)=s80dd_fd:(0,1),0,32;dd_loc:(0,34),32,32;dd_size:(0,34),64,32;dd_buf:(0,2),96,32;dd_len:(0,1),128,32;dd_seek:(0,34),160,32;dd_rewind:(0,34),192,32;dd_flags:(0,1),224,32;dd_lock:(0,41)=(0,42)=xs_opaque_pthread_mutex_t:,256,352;dd_td:(0,43)=*(0,44)=xs_telldir:,608,32;;DIR:t(0,39)__darwin_pthread_mutex_t:t(0,41)_opaque_pthread_mutex_t:T(0,42)=s44__sig:(0,34),0,32;__opaque:(0,45)=ar(0,31);0;39;(0,3),32,320;;entry:(0,46)=*(0,47)=xsdirent:dirent:T(0,47)=s264d_ino:(0,8),0,32;d_reclen:(0,14),32,16;d_type:(0,48)=(0,49)=@s8;r(0,49);0;255;,48,8;d_namlen:(0,48),56,8;d_name:(0,50)=ar(0,31);0;255;(0,3),64,2048;;__uint8_t:t(0,48)unsigned char:t(0,49)statbuf:(0,4)dirs_to_doread:(0,51)=ar(0,31);0;7;(0,2)f_name:(0,52)=ar(0,31);0;1025;(0,3)statbuf_local:(0,4)op_msg:(0,36)statbuf2:(0,4)op_msg:(0,36)check_rc_sys:F(0,53)=(0,53)void:t(0,53)basedir:p(0,2)file_path:(0,36)_i:(0,1)dirs_to_scan:(0,54)=ar(0,31);0;19;(0,2)op_msg:(0,36)op_msg:(0,36)__local_name:G(0,2)hostname_map:S(0,55)=ar(0,31);0;255;(0,56)=k(0,49)rootcheck:G(0,57)=(0,58)=xs_rkconfig:rkconfig:t(0,57)_rkconfig:T(0,58)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,59)=*(0,60)=(0,61)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,60)__sFILE:T(0,61)=s88_p:(0,62)=*(0,49),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,63)=@s16;r(0,63);-32768;32767;,96,16;_file:(0,63),112,16;_bf:(0,64)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,65)=*(0,53),224,32;_close:(0,66)=*(0,67)=f(0,1),256,32;_read:(0,68)=*(0,69)=f(0,1),288,32;_seek:(0,70)=*(0,71)=f(0,72)=(0,23),320,32;_write:(0,73)=*(0,74)=f(0,1),352,32;_ub:(0,64),384,64;_extra:(0,75)=*(0,76)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,77)=ar(0,31);0;2;(0,49),512,24;_nbuf:(0,78)=ar(0,31);0;0;(0,49),536,8;_lb:(0,64),544,64;_blksize:(0,1),608,32;_offset:(0,72),640,64;;short int:t(0,63)__sbuf:T(0,64)=s8_base:(0,62),0,32;_size:(0,1),32,32;;fpos_t:t(0,72)rk_sys_file:G(0,79)=*(0,2)rk_sys_name:G(0,79)rk_sys_count:G(0,1)total_ports_udp:G(0,80)=ar(0,31);0;65535;(0,3)total_ports_tcp:G(0,80)_sys_errors:G(0,1)_sys_total:G(0,1)did:G(0,5)_wx:G(0,59)_ww:G(0,59)_suid:G(0,59) #1/28 1201235563 0 0 100644 7068 ` check_rc_trojans.o| __text__TEXT` &__data__DATA,__const__TEXT8__cstring__TEXT8__picsymbolstub2__TEXTQ 6__la_sym_ptr2__DATA$2 @  __textcoal_nt__TEXTV @ uL4 Paad US EEEDžD$$ E D$D$$uDžED$ $t $M8x8#iD$!$ u3D$!$u$$$o88uEE􃼅ur8/tAD$E􋄅D$ED$ D$D$$'D$D$$ƅ$fD$$-E8tt ttD$D$D$ D$D$x$xD$$8/u9E}u=ED$ qD$D$x$xD$$.Ĵ []  !"#$%&'*+,:;<=>?[\]^`{|}~binsbinusr/binusr/sbinossec-rootcheck%s: DEBUG: Starting on check_rc_trojans%s/%s/%sGenericTrojaned version of file '%s' detected. Signature used: '%s' (%s).No binaries with any trojan detected. Analyzed %d files.B⍀P.)⍀P⍀P⍀P⍀Ps⍀sP^⍀^PI⍀IPz4⍀4Pf*C\u$Ë$qW) lJ0g+rj`J>2& b t a t mma t TTa t ;;~a yt s"k"ea `t Z R La Gt A93a .t ( a t a  ijgqohpfeijgqohpfedkd~<DDD$D$^D'vD*D,D/D0D2D7D:DA DCDD5DF>DICDJLDLUDMqDOzDQDRDTDUDVDYD[D^DbDdDfDlPDmpDqwDtDvD}D-D8D=DHDNDuD$ # *<rTq("CT_t)*sx-HxN$ & B&S     1 d+ ^DQ9@}l_check_rc_trojans___i686.get_pc_thunk.bx___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_notify_rk_os_string_is_file_strncpy_snprintf_normalize_string_strchr_fgets_debug1/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/check_rc_trojans.cgcc2_compiled._hostname_mapcheck_rc_trojans:F(0,1)=(0,1)void:t(0,1)basedir:p(0,2)=*(0,3)=r(0,3);0;127;fp:p(0,4)=*(0,5)=(0,6)=xs__sFILE:char:t(0,3)FILE:t(0,5)__sFILE:T(0,6)=s88_p:(0,7)=*(0,8)=@s8;r(0,8);0;255;,0,32;_r:(0,9)=r(0,9);-2147483648;2147483647;,32,32;_w:(0,9),64,32;_flags:(0,10)=@s16;r(0,10);-32768;32767;,96,16;_file:(0,10),112,16;_bf:(0,11)=xs__sbuf:,128,64;_lbfsize:(0,9),192,32;_cookie:(0,12)=*(0,1),224,32;_close:(0,13)=*(0,14)=f(0,9),256,32;_read:(0,15)=*(0,16)=f(0,9),288,32;_seek:(0,17)=*(0,18)=f(0,19)=(0,20)=(0,21)=(0,22)=@s64;r(0,22);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,23)=*(0,24)=f(0,9),352,32;_ub:(0,11),384,64;_extra:(0,25)=*(0,26)=xs__sFILEX:,448,32;_ur:(0,9),480,32;_ubuf:(0,27)=ar(0,28)=r(0,28);0000000000000;0037777777777;;0;2;(0,8),512,24;_nbuf:(0,29)=ar(0,28);0;0;(0,8),536,8;_lb:(0,11),544,64;_blksize:(0,9),608,32;_offset:(0,19),640,64;;unsigned char:t(0,8)int:t(0,9)short int:t(0,10)__sbuf:T(0,11)=s8_base:(0,7),0,32;_size:(0,9),32,32;;fpos_t:t(0,19)__darwin_off_t:t(0,20)__int64_t:t(0,21)long long int:t(0,22)long unsigned int:t(0,30)=r(0,30);0000000000000;0037777777777;i:(0,9)_errors:(0,9)_total:(0,9)buf:(0,31)=ar(0,28);0;1024;(0,3)file_path:(0,31)file:(0,2)string_to_look:(0,2)all_paths:(0,32)=ar(0,28);0;4;(0,2)nbuf:(0,2)message:(0,2)op_msg:(0,31)op_msg:(0,31)__local_name:G(0,2)hostname_map:S(0,33)=ar(0,28);0;255;(0,34)=k(0,8)rootcheck:G(0,35)=(0,36)=xs_rkconfig:rkconfig:t(0,35)_rkconfig:T(0,36)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,4),224,32;daemon:(0,9),256,32;notify:(0,9),288,32;scanall:(0,9),320,32;readall:(0,9),352,32;disabled:(0,9),384,32;time:(0,9),416,32;queue:(0,9),448,32;;rk_sys_file:G(0,37)=*(0,2)rk_sys_name:G(0,37)rk_sys_count:G(0,9)total_ports_udp:G(0,38)=ar(0,28);0;65535;(0,3)total_ports_tcp:G(0,38)#1/12 1201235565 0 0 100644 12932 ` common.o| H H __text__TEXT ;__data__DATA8 __const__TEXT8 __cstring__TEXT?8 __picsymbolstub2__TEXT w ~__la_sym_ptr2__DATA T __textcoal_nt__TEXT@  @  PP*USD}uDž} u-E$ tDžDžD$E$N E}uDžEED$D$$u^D$ $t E D$$tE$YDžE$BDžD[]ÐUS4EEE EE}u E}uD$ E $E}t5E8&u*E8&uE8 uEEEEEEEE 8!u E ED$fD$E $0u,E ED$E $ED$iD$E $u,E ED$E $ED$lD$E $u%E ED$E $/ylEcD$oD$E $Pu%E ED$E $~&EED$E $uE}t E E}u}tE!}u EEEE EEE4[]ÐU(E$<EE8uE8 t E8 tEސEE8 t EE8 tEEE(׋EU(EE $E}u EVE$}E}u-ED$E$uыE$5EE$!EEÐUSuEEEƅwD$x$uDžlD$/E$yppu.ED$#D$5$2Džlnp;EppEtt$uvp$u E8uEp$*E}tE$EY8uEx$Xp(p/7E$9uEx$ 8uEED$E$y@D$E$y)D$E$[E}u El}t E$DžllĤ[]Ð  !"#$%&'*+,:;<=>?[\]^`{|}~r=:r:<:>:ossec-rootcheck%s: RK: Invalid file name: %s!⍀P⍀P⍀P⍀P⍀P⍀P⍀Prmu⍀uPYT`⍀`P@;K⍀KP'"6⍀6P !⍀!P ⍀ P⍀P⍀P⍀P⍀Pxs⍀P_Z⍀PFAy⍀yP-(d⍀dP7Pi 1 J c | $Ë$À[LB+ xfT  iUF&$<<rVG<% <8 hY1  < <   8 8   4 4   0 0   , t , t   ( [ ~( [ x s m$ B e$ B _ Z T ) L ) F A ;  3  - ( "                    z z  a a~ y s Hk He ` Z /R /L G A 9 3 . (       PLHD@<840,($            dd<DDDD$D!*D#9D&HD*WD+oD-uD0D1D6D7D9DFDHDIDM DNDO $@Kl {Tq("8w3 $0D_0D`<DaCDbJDcPDgWDi]DljDouDpDsDuDvDzDDDDDDDDD1D=D^DdD~DDDDDDDD DD,D3D9D?DFDLDRDYD[DaDhDjDqD|D$_0^^ `abc<  $\DDDDDDDDDDD $#.;<=$hDDDDDDD5DNDYD!bD"mD#t>$R^ iR{M l Y g g~ ' % #  t $D*|D+D.D/D:D<D>DBDCDEDFDM DP/DQ8DRADUJDW\DYnD^wD`DdDeDgDhDjDlDpDtDuDzD|DD DDDhDsDyDD $*| ) + -* J aX bo & p r eM[hl`map./4x6t&7p:;<$$= Q& & ) = Q  d@ D T|F4(0T](w ;2vk@^LDj_rk_check_file___i686.get_pc_thunk.bx_pt_matches_normalize_string_isfile_ondir_is_file___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_access_stat___error_chdir_merror_strrchr_getcwd_closedir_readdir_opendir_strlen_strcmp_OS_Regex_strcasecmp_strncasecmp_fclose_strchr_fgets_fopen/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/common.cgcc2_compiled._hostname_maprk_check_file:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)file:p(0,2)=*(0,3)=r(0,3);0;127;pattern:p(0,2)char:t(0,3)fp:(0,4)=*(0,5)=(0,6)=xs__sFILE:FILE:t(0,5)__sFILE:T(0,6)=s88_p:(0,7)=*(0,8)=@s8;r(0,8);0;255;,0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,9)=@s16;r(0,9);-32768;32767;,96,16;_file:(0,9),112,16;_bf:(0,10)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,11)=*(0,12)=(0,12),224,32;_close:(0,13)=*(0,14)=f(0,1),256,32;_read:(0,15)=*(0,16)=f(0,1),288,32;_seek:(0,17)=*(0,18)=f(0,19)=(0,20)=(0,21)=(0,22)=@s64;r(0,22);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,23)=*(0,24)=f(0,1),352,32;_ub:(0,10),384,64;_extra:(0,25)=*(0,26)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,27)=ar(0,28)=r(0,28);0000000000000;0037777777777;;0;2;(0,8),512,24;_nbuf:(0,29)=ar(0,28);0;0;(0,8),536,8;_lb:(0,10),544,64;_blksize:(0,1),608,32;_offset:(0,19),640,64;;unsigned char:t(0,8)short int:t(0,9)__sbuf:T(0,10)=s8_base:(0,7),0,32;_size:(0,1),32,32;;void:t(0,12)fpos_t:t(0,19)__darwin_off_t:t(0,20)__int64_t:t(0,21)long long int:t(0,22)long unsigned int:t(0,30)=r(0,30);0000000000000;0037777777777;buf:(0,31)=ar(0,28);0;2048;(0,3)nbuf:(0,2)pt_matches:F(0,1)str:p(0,2)pattern:p(0,2)neg:(0,1)ret_code:(0,1)tmp_pt:(0,2)tmp_ret:(0,2)normalize_string:F(0,2)str:p(0,2)str_sz:(0,1)isfile_ondir:F(0,1)file:p(0,2)dir:p(0,2)dp:(0,32)=*(0,33)=(0,34)=s80dd_fd:(0,1),0,32;dd_loc:(0,35)=r(0,35);-2147483648;2147483647;,32,32;dd_size:(0,35),64,32;dd_buf:(0,2),96,32;dd_len:(0,1),128,32;dd_seek:(0,35),160,32;dd_rewind:(0,35),192,32;dd_flags:(0,1),224,32;dd_lock:(0,36)=(0,37)=xs_opaque_pthread_mutex_t:,256,352;dd_td:(0,38)=*(0,39)=xs_telldir:,608,32;;DIR:t(0,33)long int:t(0,35)__darwin_pthread_mutex_t:t(0,36)_opaque_pthread_mutex_t:T(0,37)=s44__sig:(0,35),0,32;__opaque:(0,40)=ar(0,28);0;39;(0,3),32,320;;entry:(0,41)=*(0,42)=xsdirent:dirent:T(0,42)=s264d_ino:(0,43)=(0,44)=(0,45)=(0,46)=r(0,46);0000000000000;0037777777777;,0,32;d_reclen:(0,47)=(0,48)=@s16;r(0,48);0;65535;,32,16;d_type:(0,49)=(0,8),48,8;d_namlen:(0,49),56,8;d_name:(0,50)=ar(0,28);0;255;(0,3),64,2048;;ino_t:t(0,43)__darwin_ino_t:t(0,44)__uint32_t:t(0,45)unsigned int:t(0,46)__uint16_t:t(0,47)short unsigned int:t(0,48)__uint8_t:t(0,49)is_file:F(0,1)file_name:p(0,2)ret:(0,1)statbuf:(0,51)=xsstat:stat:T(0,51)=s96st_dev:(0,52)=(0,53)=(0,54)=(0,1),0,32;st_ino:(0,43),32,32;st_mode:(0,55)=(0,56)=(0,47),64,16;st_nlink:(0,57)=(0,47),80,16;st_uid:(0,58)=(0,59)=(0,45),96,32;st_gid:(0,60)=(0,61)=(0,45),128,32;st_rdev:(0,52),160,32;st_atimespec:(0,62)=xstimespec:,192,64;st_mtimespec:(0,62),256,64;st_ctimespec:(0,62),320,64;st_size:(0,63)=(0,20),384,64;st_blocks:(0,64)=(0,65)=(0,21),448,64;st_blksize:(0,66)=(0,67)=(0,54),512,32;st_flags:(0,45),544,32;st_gen:(0,45),576,32;st_lspare:(0,54),608,32;st_qspare:(0,68)=ar(0,28);0;1;(0,21),640,128;;dev_t:t(0,52)__darwin_dev_t:t(0,53)__int32_t:t(0,54)mode_t:t(0,55)__darwin_mode_t:t(0,56)nlink_t:t(0,57)uid_t:t(0,58)__darwin_uid_t:t(0,59)gid_t:t(0,60)__darwin_gid_t:t(0,61)timespec:T(0,62)=s8tv_sec:(0,69)=(0,70)=(0,35),0,32;tv_nsec:(0,35),32,32;;off_t:t(0,63)blkcnt_t:t(0,64)__darwin_blkcnt_t:t(0,65)blksize_t:t(0,66)__darwin_blksize_t:t(0,67)time_t:t(0,69)__darwin_time_t:t(0,70)fp:(0,4)dp:(0,32)curr_dir:(0,71)=ar(0,28);0;1023;(0,3)file_dirname:(0,2)file_basename:(0,2)__local_name:G(0,2)hostname_map:S(0,72)=ar(0,28);0;255;(0,73)=k(0,8)rootcheck:G(0,74)=(0,75)=xs_rkconfig:rkconfig:t(0,74)_rkconfig:T(0,75)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,4),224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;rk_sys_file:G(0,76)=*(0,2)rk_sys_name:G(0,76)rk_sys_count:G(0,1)total_ports_udp:G(0,77)=ar(0,28);0;65535;(0,3)total_ports_tcp:G(0,77)#1/20 1201235565 0 0 100644 13836 ` common_rcl.o| JJ__text__TEXTt __data__DATAt __const__TEXT  __cstring__TEXT __picsymbolstub2__TEXT w'Z__la_sym_ptr2__DATA<__textcoal_nt__TEXTB @C(4 P## ,$UÐU(ED$D$E $uqD$ E $E}tEE EE8u*E8 t E8 tE܋E8#uE̋E8uwEEEEU(E8[uE$ E8]u EEEÐUS$EE$u E`ED$]E$ E}u E4EEE8 tE8[t E ED$]E$D E}u EEE D$E$ u E6 D$E$ u EEEuE8 tE8[t EYED$]E$ E}u E.ED$ED$E $ E$ EE$[]ÐUE8uAE8 u3E8-u(E8>uE8 uEEEE EEEÐUS$E D$:E$ E}u EEED$;E$ E}u EEE8!uED$E$ u E QD$E$ u E -D$E$ u E  EEEE$[]ÐUSEEDžED$D$$ D$D$$ D$D$$ D$D$$ EED$$HuD$$e DžD$E$ E}uDžtDED$D$E$uL}uD$$ED$D$$DžtD$D$$nDžDžD$E$0E}uE$tED$E$uOt$DžED$D$]$Džt8!uDž}uoDž$D$D$$OD$$4Dž%}DžDž$[t$>D$D$$D$D$$BD$$mDžf}u`D$D$$9D$$t"D$ $Džtt Dž Dž}u-D$: $tLDž@D$T $tt Dž Džt=D$D$E D$ n D$D$x$1D$E D$ D$D$x$RxD$$#}u0t$DžDžtE$ED$D$E$t%t$I}uD$$ED$D$$Džt}DžttĴ[]Ð  !"#$%&'*+,:;<=>?[\]^`{|}~allanyfrpossec-rootcheck%s(1253): Invalid rootdir (unable to retrieve).%s(1251): Invalid rk configuration name: '%s'.%s: DEBUG: Checking entry: '%s'.%s(1252): Invalid rk configuration value: '%s'.%s: DEBUG: Checking file: '%s'.%s: DEBUG: Checking registry: '%s'.%s: DEBUG: found registry.%s: DEBUG: Checking process: '%s'.%s: DEBUG: found process.%s: DEBUG: Condition ANY.%s: DEBUG: Condition ALL.%s %s. Reference: %s .%s %s.lr⍀rPXS]⍀]P?:H⍀HP&!3⍀3P ⍀P ⍀ P⍀P⍀P⍀P⍀Pwr⍀P^Y⍀PE@v⍀vP,'a⍀aPL⍀LP 2Kd}$Ë$> 6 ,        h R 8   q W  ld= Z #       rj ` J-  _W` M 6  z p c[ Q 6  z\>$   q D$ yn<  3 $ F-sB m>e>_# ZB T:L:F# AB ;636-# (B "22# B ..# B *u*u# B &\&\# B "C"C# B **# B ~# yB s k e# `B Z R L# GB A 9 3# .B (   # B   # 840,($  4:015/-32=?<>;.4:015/-32=?<>;.dd< DD4D5 %$R^n $D<D=DB7DCMDESDIYDM_DOiDQ{DRDTDVDWD`DbDeDhDi$<;; +T:qQ(cy?7$DpDqDsDuDv$po$<D}DDDD D$D:D@DLDRDXDkDwD}DDDDDDDDDDD DD'D-DCDIDRDXDrD$}|| |,~?STU$DDDDDDDDDV$o|$`DDDDDD)D/D5DKDQD]DcDkDoDDD D D DDD}$ $DDD%D(D*$D+BD,`D-~D/D2D3D5D;D>D@DA DCDGDI@DKIDMODPgDQDUDZD[D]D^D`DeDgDlDmDo#Dq,Dr:DtDDucDzrD|}D}DDDDDDDDDD#D7D@DTDvDDDDDDD D*D3D<DHDRDXDpDyDDDDDDDDD% DV Dl Dr D{ D D D D  D  D  D D D D D# DB DN DX D b $  3>_ o!"$%&( $  U V ;d e Zr [~          x  l N b $ &  A &R  0 dt B?F/Wj {b\4@rjM@*z__rkcl_getrootdir__rkcl_getfp__rkcl_is_name__rkcl_get_name___i686.get_pc_thunk.bx__rkcl_get_pattern__rkcl_get_value_rkcl_get_entry___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_notify_rk_snprintf_is_process_is_registry_rk_check_file_free_debug2_merror_memset_strdup_strncpy_strcmp_strlen_strchr_fgets/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/common_rcl.cgcc2_compiled._hostname_map_rkcl_getrootdir:F(0,1)=*(0,2)=r(0,2);0;127;char:t(0,2)root_dir:p(0,1)dir_size:p(0,3)=r(0,3);-2147483648;2147483647;int:t(0,3)_rkcl_getfp:F(0,1)fp:p(0,4)=*(0,5)=(0,6)=xs__sFILE:buf:p(0,1)FILE:t(0,5)__sFILE:T(0,6)=s88_p:(0,7)=*(0,8)=@s8;r(0,8);0;255;,0,32;_r:(0,3),32,32;_w:(0,3),64,32;_flags:(0,9)=@s16;r(0,9);-32768;32767;,96,16;_file:(0,9),112,16;_bf:(0,10)=xs__sbuf:,128,64;_lbfsize:(0,3),192,32;_cookie:(0,11)=*(0,12)=(0,12),224,32;_close:(0,13)=*(0,14)=f(0,3),256,32;_read:(0,15)=*(0,16)=f(0,3),288,32;_seek:(0,17)=*(0,18)=f(0,19)=(0,20)=(0,21)=(0,22)=@s64;r(0,22);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,23)=*(0,24)=f(0,3),352,32;_ub:(0,10),384,64;_extra:(0,25)=*(0,26)=xs__sFILEX:,448,32;_ur:(0,3),480,32;_ubuf:(0,27)=ar(0,28)=r(0,28);0000000000000;0037777777777;;0;2;(0,8),512,24;_nbuf:(0,29)=ar(0,28);0;0;(0,8),536,8;_lb:(0,10),544,64;_blksize:(0,3),608,32;_offset:(0,19),640,64;;unsigned char:t(0,8)short int:t(0,9)__sbuf:T(0,10)=s8_base:(0,7),0,32;_size:(0,3),32,32;;void:t(0,12)fpos_t:t(0,19)__darwin_off_t:t(0,20)__int64_t:t(0,21)long long int:t(0,22)long unsigned int:t(0,30)=r(0,30);0000000000000;0037777777777;nbuf:(0,1)_rkcl_is_name:F(0,3)buf:p(0,1)_rkcl_get_name:F(0,1)buf:p(0,1)ref:p(0,1)condition:p(0,31)=*(0,3)tmp_location:(0,1)tmp_location2:(0,1)_rkcl_get_pattern:F(0,1)value:p(0,1)_rkcl_get_value:F(0,1)buf:p(0,1)type:p(0,31)tmp_str:(0,1)value:(0,1)rkcl_get_entry:F(0,3)fp:p(0,4)msg:p(0,1)p_list_p:p(0,11)type:(0,3)condition:(0,3)root_dir_len:(0,3)nbuf:(0,1)buf:(0,32)=ar(0,28);0;1025;(0,2)root_dir:(0,32)final_file:(0,33)=ar(0,28);0;2048;(0,2)ref:(0,34)=ar(0,28);0;255;(0,2)value:(0,1)name:(0,1)tmp_str:(0,1)p_list:(0,35)=*(0,36)=(0,37)=xs_OSList:OSList:t(0,36)_OSList:T(0,37)=s24first_node:(0,38)=*(0,39)=(0,40)=xs_OSListNode:,0,32;last_node:(0,38),32,32;cur_node:(0,38),64,32;currently_size:(0,3),96,32;max_size:(0,3),128,32;free_data_function:(0,41)=*(0,42)=f(0,12),160,32;;OSListNode:t(0,39)_OSListNode:T(0,40)=s12next:(0,43)=*(0,40),0,32;prev:(0,43),32,32;data:(0,11),64,32;;g_found:(0,3)negate:(0,3)found:(0,3)pattern:(0,1)entry:(0,1)pattern:(0,1)op_msg:(0,44)=ar(0,28);0;1024;(0,2)__local_name:G(0,1)hostname_map:S(0,45)=ar(0,28);0;255;(0,46)=k(0,8)rootcheck:G(0,47)=(0,48)=xs_rkconfig:rkconfig:t(0,47)_rkconfig:T(0,48)=s60workdir:(0,1),0,32;basedir:(0,1),32,32;rootkit_files:(0,1),64,32;rootkit_trojans:(0,1),96,32;winaudit:(0,1),128,32;winmalware:(0,1),160,32;winapps:(0,1),192,32;fp:(0,4),224,32;daemon:(0,3),256,32;notify:(0,3),288,32;scanall:(0,3),320,32;readall:(0,3),352,32;disabled:(0,3),384,32;time:(0,3),416,32;queue:(0,3),448,32;;rk_sys_file:G(0,49)=*(0,1)rk_sys_name:G(0,49)rk_sys_count:G(0,3)total_ports_udp:G(0,50)=ar(0,28);0;65535;(0,2)total_ports_tcp:G(0,50) #1/12 1201235570 0 0 100644 3876 ` config.o| __text__TEXT\$__data__DATA\__const__TEXT`__picsymbolstub2__TEXT`D__la_sym_ptr2__DATAyt__nl_symbol_ptr__DATA__textcoal_nt__TEXT @5 P)), |US$EED$ tD$ED$E$!y EEE$[]  !"#$%&'*+,:;<=>?[\]^`{|}~⍀Pm$Ë$;# + 4 yeye* ,,1d!d*<9`DD DDDCDLDSG$ S$\ &`H &>K-:TIq`(r     d\0cIV>@q_Read_Rootcheck_Config___i686.get_pc_thunk.bx___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_ReadConfig/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/config.cgcc2_compiled._hostname_mapRead_Rootcheck_Config:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)cfgfile:p(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)modules:(0,1)__local_name:G(0,2)hostname_map:S(0,4)=ar(0,5)=r(0,5);0000000000000;0037777777777;;0;255;(0,6)=k(0,7)=@s8;r(0,7);0;255;long unsigned int:t(0,8)=r(0,8);0000000000000;0037777777777;unsigned char:t(0,7)rootcheck:G(0,9)=(0,10)=xs_rkconfig:rkconfig:t(0,9)_rkconfig:T(0,10)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,11)=*(0,12)=(0,13)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,12)__sFILE:T(0,13)=s88_p:(0,14)=*(0,7),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,15)=@s16;r(0,15);-32768;32767;,96,16;_file:(0,15),112,16;_bf:(0,16)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,17)=*(0,18)=(0,18),224,32;_close:(0,19)=*(0,20)=f(0,1),256,32;_read:(0,21)=*(0,22)=f(0,1),288,32;_seek:(0,23)=*(0,24)=f(0,25)=(0,26)=(0,27)=(0,28)=@s64;r(0,28);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,29)=*(0,30)=f(0,1),352,32;_ub:(0,16),384,64;_extra:(0,31)=*(0,32)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,33)=ar(0,5);0;2;(0,7),512,24;_nbuf:(0,34)=ar(0,5);0;0;(0,7),536,8;_lb:(0,16),544,64;_blksize:(0,1),608,32;_offset:(0,25),640,64;;short int:t(0,15)__sbuf:T(0,16)=s8_base:(0,14),0,32;_size:(0,1),32,32;;void:t(0,18)fpos_t:t(0,25)__darwin_off_t:t(0,26)__int64_t:t(0,27)long long int:t(0,28)rk_sys_file:G(0,35)=*(0,2)rk_sys_name:G(0,35)rk_sys_count:G(0,1)total_ports_udp:G(0,36)=ar(0,5);0;65535;(0,3)total_ports_tcp:G(0,36)#1/20 1201235567 0 0 100644 7732 ` os_string.o| ((__text__TEXT !__data__DATA__cstring__TEXT C__picsymbolstub2__TEXTcw Z__la_sym_ptr2__DATA<r __nl_symbol_ptr__DATA __textcoal_nt__TEXT  @ Puuy US}t} uDžD$$jE}u'D$1$0DžRD$E$uE$DžpD$D$$zDžDžDž$&D$$D$$uDžDž$fxt!fxtfx txu>fx u$xu Dž<Dž 0Dž$$fx t Dž$ DžD$D$ $u Dž@ BDž DžE$iE}ukEQD$E$u } t/}uEEEEEE}D$ED$$$$E}t\EuRD$E$Wu} t3}E E덋E D$$t.t$E$Dž8Eyt$uE$KDžĔ[]ÐU(E@ E8t0EU@;}MUBȃBE?[\]^`{|}~/usr/local/ossec-hids/etc/ossec.confossec-rootcheck%s: Starting ...%s: Configuration file '%s' not found%s(1202): Configuration error at '%s'. Exiting.%s: Rootcheck disabled. Exiting./usr/local/ossec-hids%s: Starting queue .../usr/local/ossec-hids/queue/ossec/queue%s(1210): Queue '%s' not accessible: '%s'.%s(1211): Unable to access queue: '%s'. Giving up..%s(1102): Memory error. Exiting.Z⍀PFA⍀P-(⍀P⍀P⍀P⍀P⍀P{⍀{Pf⍀fP~yQ⍀QPe`<⍀<PL+D]v$Ë$H 8 2*      @     znf \ R H>+#         | t l _ ME` ; -           q b S D 5 &   L ` K ` K ` nnK ` UUK ` <<K ` ##~K y` s k eK `` ZRLK G` A93K .` ( K ` K ($  T[\RQ_NPVOUT[\RQ_NPVOUXYZ6dd<DBDG DMDN$DO3DPBDQQDR`DSoDT~DDDDDDDDD+D9DQD]DjDzDDDDDD=DrD~DDDDDD6DFDVD]$BAG". /]0$h1 E& !&1FXTq(   - [ sdh).\BO7@{j_rootcheck_init___i686.get_pc_thunk.bx___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_calloc_sleep_strerror___error_StartMQ_verbose_ErrorExit_Read_Rootcheck_Config_merror_File_DateofChange_debug1/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/rootcheck.cgcc2_compiled._hostname_maprootcheck_init:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)test_config:p(0,1)cfg:(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)__local_name:G(0,2)hostname_map:S(0,4)=ar(0,5)=r(0,5);0000000000000;0037777777777;;0;255;(0,6)=k(0,7)=@s8;r(0,7);0;255;long unsigned int:t(0,8)=r(0,8);0000000000000;0037777777777;unsigned char:t(0,7)rootcheck:G(0,9)=(0,10)=xs_rkconfig:rkconfig:t(0,9)_rkconfig:T(0,10)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,11)=*(0,12)=(0,13)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,12)__sFILE:T(0,13)=s88_p:(0,14)=*(0,7),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,15)=@s16;r(0,15);-32768;32767;,96,16;_file:(0,15),112,16;_bf:(0,16)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,17)=*(0,18)=(0,18),224,32;_close:(0,19)=*(0,20)=f(0,1),256,32;_read:(0,21)=*(0,22)=f(0,1),288,32;_seek:(0,23)=*(0,24)=f(0,25)=(0,26)=(0,27)=(0,28)=@s64;r(0,28);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,29)=*(0,30)=f(0,1),352,32;_ub:(0,16),384,64;_extra:(0,31)=*(0,32)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,33)=ar(0,5);0;2;(0,7),512,24;_nbuf:(0,34)=ar(0,5);0;0;(0,7),536,8;_lb:(0,16),544,64;_blksize:(0,1),608,32;_offset:(0,25),640,64;;short int:t(0,15)__sbuf:T(0,16)=s8_base:(0,14),0,32;_size:(0,1),32,32;;void:t(0,18)fpos_t:t(0,25)__darwin_off_t:t(0,26)__int64_t:t(0,27)long long int:t(0,28)rk_sys_file:G(0,35)=*(0,2)rk_sys_name:G(0,35)rk_sys_count:G(0,1)total_ports_udp:G(0,36)=ar(0,5);0;65535;(0,3)total_ports_tcp:G(0,36) #1/20 1201235563 0 0 100644 11924 ` run_rk_check.o X__text__TEXT__data__DATA__const__TEXT __cstring__TEXT ` __picsymbolstub2__TEXT \4r__la_sym_ptr2__DATA[L7__nl_symbol_ptr__DATA&__textcoal_nt__TEXT @$ P\*UVS x$e}uE D$$O}uE D$$ 2}uE D$($ E D$4$ B$ E} ED$ 9DD$E D$@8$F ND$s$ 6D$$ F8F8y"D$ND$$ D$ 9DD$E D$@8$ y"D$ND$$? EE [^]UUS4?[\]^`{|}~[OK]: %s [ERR]: %s [INFO]: %s [FAILED]: %s rootcheckossec-rootcheck%s(1224): Error sending message to queue./usr/local/ossec-hids/queue/ossec/queue%s(1211): Unable to access queue: '%s'. Giving up../** Starting Rootcheck v0.8 by Daniel B. Cid ** ** http://www.ossec.net/en/about.html#dev-team ** ** http://www.ossec.net/rootcheck/ ** Be patient, it may take a few minutes to complete... Starting rootcheck scan.%s: No rootcheck_files file configured.r%s: No rootcheck_files file: '%s'%s: No rootcheck_trojans file configured.%s: No rootcheck_trojans file: '%s'%s: DEBUG: Going into check_rc_dev%s: DEBUG: Going into check_rc_sys%s: DEBUG: Going into check_rc_pids%s: DEBUG: Going into check_rc_ports%s: DEBUG: Going into check_open_ports%s: DEBUG: Going into check_rc_if%s: DEBUG: Completed with all checks.- Scan completed in %d seconds. %s: DEBUG: Leaving run_rk_check{⍀Pgb⍀PNI⍀P50⍀P⍀Pm⍀mPX⍀XPC⍀CP.⍀.P⍀P⍀Pmh⍀PTO⍀P;6⍀P"⍀P ⍀P⍀Pq⍀qP\⍀\P # < U n 6O$Ë$` [ O~oQ5 [ [` [ [ [|oia W[QD>6` ,[& [  [rc[ Q[B3&  ` [6 zOtl f^XPJB@<4O& 4  [  uh WQ IA 7[ -    [  Q O A ph5 SK* 6.    GG  ..     ~ x s m e _ Z T L F A ; 3 - ( "      f f {M {M w4 w4 s s o o ~ y sk kk e ` Zg Rg L G Ac 9c 3 . (_ _   [ [  HD@<840,($  dd < DD DD%D<DBDYD_D!vD$D%D)D*D-D/D1D3+D6MD8}D=D>($Xcr $DEDK$E$DRD[D^D_DaDcDpDrDvDy$D{2D|@D}ND~\DjDxDDDDDDDD:D@DiDDDDDDDDD*DBDUDmDDDDDDD"D#D&D, D.'D0_D2aD3D,D8D:D<D=D@DB $RS"p9ITUVwQgyTq(=ZE[gh+q rst$\u &  &G b v d 5$~C)Y ?7Qiv\iQ@vp_notify_rk___i686.get_pc_thunk.bx_start_rk_daemon_run_rk_check___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp___i686.get_pc_thunk.axdyld_stub_binding_helper_free_check_rc_if_check_open_ports_check_rc_ports_check_rc_pids_check_rc_sys_check_rc_dev_debug1_check_rc_trojans_fclose_check_rc_files_fopen_time_strlen_ErrorExit_StartMQ_merror_SendMSG_printf/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/run_rk_check.cgcc2_compiled._hostname_mapnotify_rk:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)rk_type:p(0,1)msg:p(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)start_rk_daemon:F(0,4)=(0,4)void:t(0,4)run_rk_check:F(0,4)time1:(0,5)=(0,6)=(0,7)=r(0,7);-2147483648;2147483647;time_t:t(0,5)__darwin_time_t:t(0,6)long int:t(0,7)time2:(0,5)fp:(0,8)=*(0,9)=(0,10)=xs__sFILE:FILE:t(0,9)__sFILE:T(0,10)=s88_p:(0,11)=*(0,12)=@s8;r(0,12);0;255;,0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,13)=@s16;r(0,13);-32768;32767;,96,16;_file:(0,13),112,16;_bf:(0,14)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,15)=*(0,4),224,32;_close:(0,16)=*(0,17)=f(0,1),256,32;_read:(0,18)=*(0,19)=f(0,1),288,32;_seek:(0,20)=*(0,21)=f(0,22)=(0,23)=(0,24)=(0,25)=@s64;r(0,25);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,26)=*(0,27)=f(0,1),352,32;_ub:(0,14),384,64;_extra:(0,28)=*(0,29)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,30)=ar(0,31)=r(0,31);0000000000000;0037777777777;;0;2;(0,12),512,24;_nbuf:(0,32)=ar(0,31);0;0;(0,12),536,8;_lb:(0,14),544,64;_blksize:(0,1),608,32;_offset:(0,22),640,64;;unsigned char:t(0,12)short int:t(0,13)__sbuf:T(0,14)=s8_base:(0,11),0,32;_size:(0,1),32,32;;fpos_t:t(0,22)__darwin_off_t:t(0,23)__int64_t:t(0,24)long long int:t(0,25)long unsigned int:t(0,33)=r(0,33);0000000000000;0037777777777;i:(0,1)basedir:(0,34)=ar(0,31);0;1;(0,3)li:(0,1)__local_name:G(0,2)hostname_map:S(0,35)=ar(0,31);0;255;(0,36)=k(0,12)rootcheck:G(0,37)=(0,38)=xs_rkconfig:rkconfig:t(0,37)_rkconfig:T(0,38)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,8),224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;rk_sys_file:G(0,39)=*(0,2)rk_sys_name:G(0,39)rk_sys_count:G(0,1)total_ports_udp:G(0,40)=ar(0,31);0;65535;(0,3)total_ports_tcp:G(0,40) #1/20 1201235565 0 0 100644 3540 ` win-common.ol @@__text__TEXT0__data__DATA0__const__TEXT@;4 P114UÐUÐUÐ  !"#$%&'*+,:;<=>?[\]^`{|}~dd<@DDD $9Djv$DDDw$ $D D&D+$  $ &@ & z"YThq(     0d0 ([AN6@zi_os_check_ads_is_registry_is_process___local_name_rootcheck_rk_sys_file_rk_sys_name_rk_sys_count_total_ports_udp_total_ports_tcp/mnt/gmirror/ports/security/ossec-hids-server/work/ossec-hids-1.3/src/rootcheck/win-common.cgcc2_compiled._hostname_mapos_check_ads:F(0,1)=r(0,1);-2147483648;2147483647;int:t(0,1)full_path:p(0,2)=*(0,3)=r(0,3);0;127;char:t(0,3)is_registry:F(0,1)entry_name:p(0,2)reg_option:p(0,2)reg_value:p(0,2)is_process:F(0,1)value:p(0,2)p_list:p(0,4)=*(0,5)=(0,5)void:t(0,5)__local_name:G(0,2)hostname_map:S(0,6)=ar(0,7)=r(0,7);0000000000000;0037777777777;;0;255;(0,8)=k(0,9)=@s8;r(0,9);0;255;long unsigned int:t(0,10)=r(0,10);0000000000000;0037777777777;unsigned char:t(0,9)rootcheck:G(0,11)=(0,12)=xs_rkconfig:rkconfig:t(0,11)_rkconfig:T(0,12)=s60workdir:(0,2),0,32;basedir:(0,2),32,32;rootkit_files:(0,2),64,32;rootkit_trojans:(0,2),96,32;winaudit:(0,2),128,32;winmalware:(0,2),160,32;winapps:(0,2),192,32;fp:(0,13)=*(0,14)=(0,15)=xs__sFILE:,224,32;daemon:(0,1),256,32;notify:(0,1),288,32;scanall:(0,1),320,32;readall:(0,1),352,32;disabled:(0,1),384,32;time:(0,1),416,32;queue:(0,1),448,32;;FILE:t(0,14)__sFILE:T(0,15)=s88_p:(0,16)=*(0,9),0,32;_r:(0,1),32,32;_w:(0,1),64,32;_flags:(0,17)=@s16;r(0,17);-32768;32767;,96,16;_file:(0,17),112,16;_bf:(0,18)=xs__sbuf:,128,64;_lbfsize:(0,1),192,32;_cookie:(0,4),224,32;_close:(0,19)=*(0,20)=f(0,1),256,32;_read:(0,21)=*(0,22)=f(0,1),288,32;_seek:(0,23)=*(0,24)=f(0,25)=(0,26)=(0,27)=(0,28)=@s64;r(0,28);01000000000000000000000;0777777777777777777777;,320,32;_write:(0,29)=*(0,30)=f(0,1),352,32;_ub:(0,18),384,64;_extra:(0,31)=*(0,32)=xs__sFILEX:,448,32;_ur:(0,1),480,32;_ubuf:(0,33)=ar(0,7);0;2;(0,9),512,24;_nbuf:(0,34)=ar(0,7);0;0;(0,9),536,8;_lb:(0,18),544,64;_blksize:(0,1),608,32;_offset:(0,25),640,64;;short int:t(0,17)__sbuf:T(0,18)=s8_base:(0,16),0,32;_size:(0,1),32,32;;fpos_t:t(0,25)__darwin_off_t:t(0,26)__int64_t:t(0,27)long long int:t(0,28)rk_sys_file:G(0,35)=*(0,2)rk_sys_name:G(0,35)rk_sys_count:G(0,1)total_ports_udp:G(0,36)=ar(0,7);0;65535;(0,3)total_ports_tcp:G(0,36)