Trojaned version of file '/usr/bin/diff' detected.

2,910 views
Skip to first unread message

Khul Sat

unread,
Apr 16, 2024, 6:45:30 AM4/16/24
to Wazuh | Mailing List

Greetings!

I have been recently getting following messages -

agent.name: agent-010 agent.ip: 172.30.1.100 data.title: Trojaned version of file detected. data.file: /bin/diff data.file: /usr/bin/diff location: rootcheck full_log: Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

Came across following links -

https://github.com/wazuh/wazuh/issues/19346
https://groups.google.com/g/wazuh/c/L6xp5oeGhmA

Could you please suggest what exactly is to be done for the same?

Environment -
Wazuh 4.3.10 on AWS EKS

Thanks,KS

Md. Nazmur Sakib

unread,
Apr 16, 2024, 7:26:42 AM4/16/24
to Wazuh | Mailing List

Hi Khul Sat, Thank you for reaching out to us.

It appears to be a known issue

Currently to solve the issue, on the Wazuh manager you only need to change on /etc/shared/default/rootkit_trojans.txt this line:

diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!

to this one:

diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!

After restarting the service, the issue should be resolved, as shown in the attached image.

CDN media


Let me know if this works for you.

Jay Nagrecha

unread,
Apr 16, 2024, 8:08:58 AM4/16/24
to Khul Sat, Wazuh | Mailing List
Hello Khulsat,

The issue is a False Positive event. It has been resolved now. Here is the reference link:


Hope this helps.

Regards,
Jay Nagrecha



--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d769c498-a7de-410a-ae71-6c640c7a48e5n%40googlegroups.com.

Khul Sat

unread,
Apr 17, 2024, 12:36:03 AM4/17/24
to Wazuh | Mailing List
Thank you so much for the help!
Could you please let me know what needs to be done in order to keep the changes persistent under the EKS environment? I am not very familiar with the Kubernetes architecture.


Thanks again,KS
Message has been deleted

Md. Nazmur Sakib

unread,
Apr 19, 2024, 7:42:23 AM4/19/24
to Wazuh | Mailing List

I also do not have much expertise in  Kubernetes architecture. I am sharing some resources that you may find useful.

https://discuss.kubernetes.io/t/how-to-modify-replace-a-file-which-is-already-exist-in-a-folder-of-pod/25112/3


https://discuss.elastic.co/t/modify-elastic-yml-file-in-kubernetes-pod/103612



Also as a workaround, this is a false positive you can overwrite the rule to silence the rule with level 0.


You can do this from the Web interface.

Ref:

https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html


<rule id="510" level="0" overwrite="yes">


Rootchcek is used for malware detection. There are other ways to detect malware like Virustotal, Yara, etc with FIM. You can also follow those.

https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/virus-total-integration.html

https://documentation.wazuh.com/current/user-manual/capabilities/malware-detection/fim-yara.html



I hope you find this information helpful.

Reply all
Reply to author
Forward
0 new messages