FS#72519 - [diffutils] Ossec Trojaned version of file '/bin/diff' detected

Attached to Project: Arch Linux
Opened by tom (archtom) - Friday, 22 October 2021, 19:10 GMT
Last edited by Jonas Witschel (diabonas) - Tuesday, 02 November 2021, 10:01 GMT
Task Type Support Request
Category Packages: Core
Status Closed
Assigned To No-one
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When installing the latest version of diffutils and ossec hids I get the following errors/warnings when running a syscheck/rootcheck:


OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION


It would be nice to have a feedback if the package is possible corrupted or if this is a false positive.
I searched on the web and on the ossic github site without success.
I even deleted all diff
rm -f '/bin/diff'
rm -f '/sbin/diff'
rm -f '/usr/bin/diff'
rm -f '/usr/sbin/diff'
and re-installed the package. Performing the steps below brings back the errors/warnings.

Thanks for any help.


Additional info:
* package version(s)
diffutils 3.8-1
ossec hids 3.6.0

Steps to reproduce:
install latest diffutils package and run
clear_stats -a
rootcheck_control -u all
syscheck_control -u all
agent_control -r -u 000
This task depends upon

Closed by  Jonas Witschel (diabonas)
Tuesday, 02 November 2021, 10:01 GMT
Reason for closing:  Not a bug
Additional comments about closing:  False positive
Comment by loqs (loqs) - Friday, 22 October 2021, 20:05 GMT
Is /dev/[^n] matching against the string /dev/full which is in the diff binary?
What is the sha256sum of /usr/bin/diff that is being flagged?
Comment by tom (archtom) - Friday, 22 October 2021, 21:12 GMT
"Is /dev/[^n] matching against the string /dev/full which is in the diff binary?"

Sorry, I don't know exactly know what I am supposed to test here... Can you please explain or post the exact command to check this.
Thanks

sha256sum /usr/bin/diff
cf08765335f033e7bbc4096a20661e5d3396cd39983de73901d9f2b592c4d996 /usr/bin/diff
Comment by loqs (loqs) - Friday, 22 October 2021, 21:36 GMT
If you change the entry for diff [1] to
diff !bash|^/bin/sh|file\.h|proc\.h||^/bin/.*sh!

removing |/dev/[^n] then rebuild ossec and retest does it still flag diff?

virustotal shows no matches for diff with that sha256sum [2]

[1] https://github.com/ossec/ossec-hids/blob/3.6.0/src/rootcheck/db/rootkit_trojans.txt#L39
[2] https://www.virustotal.com/gui/file/cf08765335f033e7bbc4096a20661e5d3396cd39983de73901d9f2b592c4d996
Comment by Morten Linderud (Foxboron) - Friday, 22 October 2021, 21:44 GMT
These are always false positives.
Comment by tom (archtom) - Friday, 22 October 2021, 21:50 GMT
@Foxboron: What sense does the test make if it is ALWAYS false positives?

@loqs: Thanks. The file rootkit_trojans.txt is installed to this place on my system:
/var/ossec/etc/shared/rootkit_trojans.txt

Can I just change the entry there to test or do I have to rebuild ossec and make the change before?

I will test tomorrow as it is pretty late here.

Thanks for the help.
Comment by loqs (loqs) - Friday, 22 October 2021, 21:58 GMT
I would presume you would have to recompile it.

There have been previous false positives caused by that ruleset see [1][2][3][4].

[1] https://github.com/ossec/ossec-hids/issues/1720
[2] https://github.com/ossec/ossec-hids/issues/994
[3] https://github.com/ossec/ossec-hids/commit/12fbbe8398bffb85c1a66f00af6871b2a78115ca
[4] https://github.com/ossec/ossec-hids/commit/fa4a571036b07ecbdbba641146e16b4d10b324de
Comment by tom (archtom) - Saturday, 23 October 2021, 11:44 GMT
Thanks for the feedback.
It was enough to change the line in /var/ossec/etc/shared/rootkit_trojans.txt and restart the scan as described above and the errors/warnings do no longer appear.

As a conclusion we are pretty sure it is a false positive, right?

What do you suggest? Filing an issue on github on the ossec hids project page?

Thanks for alle the help. Have a nice weekend.
Comment by loqs (loqs) - Sunday, 24 October 2021, 00:03 GMT
Yes, please file an issue with the Ossec to correct the signature.
Comment by tom (archtom) - Sunday, 24 October 2021, 11:59 GMT
Thanks for all the help, done here:

https://github.com/ossec/ossec-hids/issues/2020

Loading...