1 Week Old Slackware 12.2 install - trojaned version of /usr/sbin/tcpdump found
48 views
Skip to first unread message
Matt Harris
Feb 14, 2009, 1:10:15 AM2/14/09
to ossec...@ossec.net
I'm assuming that this is a false positive, but I'd prefer not to take any chances. I also know that Slackware 12.2 isn't "officially" supported. Below is the output of an email notification I received less than an hour after installing OSSEC HIDS.
Trojaned version of file '/usr/sbin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh' (Generic).
I initially created a post regarding this on linuxquestions.org linked here:
http://www.linuxquestions.org/questions/linux-security-4/ossec-slackware.-tcpdump-flagged-as-trojan.-false-positive-704530/
I have dug through the mailing list of other users having similar events fired for other files and took the liberty of providing the output from the following command to save a little time.
user@host:~$ strings /usr/sbin/tcpdump | grep -E 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh'
/dev/usbmon%d
Thank you in advance for anyone that could offer an opinion on whether this should be regarded as a valid threat.
Matt
Trojaned version of file '/usr/sbin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh' (Generic).
I initially created a post regarding this on linuxquestions.org linked here:
http://www.linuxquestions.org/questions/linux-security-4/ossec-slackware.-tcpdump-flagged-as-trojan.-false-positive-704530/
I have dug through the mailing list of other users having similar events fired for other files and took the liberty of providing the output from the following command to save a little time.
user@host:~$ strings /usr/sbin/tcpdump | grep -E 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh'
/dev/usbmon%d
Thank you in advance for anyone that could offer an opinion on whether this should be regarded as a valid threat.
Matt
Peter M. Abraham
Feb 14, 2009, 11:32:10 AM2/14/09
to ossec-list
Greetings Matt:
I don't know Slackware, but if it uses RPM's, then there might be a
check like
rpm -Va 2>/dev/null | grep '^S.5'
I'm not sure if it is a false positive or not as I've seen machines
"just" connected to the Internet start getting attacked in five
minutes or so; and http://www.dshield.org/ used to have an area (maybe
they still do) that shows the average time for a hacker to break into
a not purposely hardened and kept hardened box (typically in under 15
minutes).
Thank you.
I don't know Slackware, but if it uses RPM's, then there might be a
check like
rpm -Va 2>/dev/null | grep '^S.5'
I'm not sure if it is a false positive or not as I've seen machines
"just" connected to the Internet start getting attacked in five
minutes or so; and http://www.dshield.org/ used to have an area (maybe
they still do) that shows the average time for a hacker to break into
a not purposely hardened and kept hardened box (typically in under 15
minutes).
Thank you.
Matt Harris
Feb 14, 2009, 6:18:59 PM2/14/09
to ossec...@googlegroups.com
Thank you for your reply. I would like to know if that is the exact command I should run. It did not produce any output. Also if you could explain to me what that command is actually accomplishing.
Also, I received a reply in LQ.org of another user running slackware 12.2. He offered the md5sum for tcpdump and it matches my md5 as well. As it stands at this point, I'm pretty sure that it is a false positive, but I'd still like to read your reply so that I may understand and learn a little more about what information you were looking for.
Thanks so much
Matt
Also, I received a reply in LQ.org of another user running slackware 12.2. He offered the md5sum for tcpdump and it matches my md5 as well. As it stands at this point, I'm pretty sure that it is a false positive, but I'd still like to read your reply so that I may understand and learn a little more about what information you were looking for.
Thanks so much
Matt
Reply all
Reply to author
Forward
0 new messages