FS#72519 - [diffutils] Ossec Trojaned version of file '/bin/diff' detected
Attached to Project:
Arch Linux
Opened by tom (archtom) - Friday, 22 October 2021, 19:10 GMT
Last edited by Jonas Witschel (diabonas) - Tuesday, 02 November 2021, 10:01 GMT
Opened by tom (archtom) - Friday, 22 October 2021, 19:10 GMT
Last edited by Jonas Witschel (diabonas) - Tuesday, 02 November 2021, 10:01 GMT
|
Details
Description:
When installing the latest version of diffutils and ossec hids I get the following errors/warnings when running a syscheck/rootcheck: OSSEC HIDS Notification. 2021 Oct 22 10:22:02 Received From: archvbox->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). --END OF NOTIFICATION OSSEC HIDS Notification. 2021 Oct 22 10:22:02 Received From: archvbox->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Trojaned version of file '/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). --END OF NOTIFICATION OSSEC HIDS Notification. 2021 Oct 22 10:22:02 Received From: archvbox->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). --END OF NOTIFICATION OSSEC HIDS Notification. 2021 Oct 22 10:22:02 Received From: archvbox->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Trojaned version of file '/usr/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic). --END OF NOTIFICATION It would be nice to have a feedback if the package is possible corrupted or if this is a false positive. I searched on the web and on the ossic github site without success. I even deleted all diff rm -f '/bin/diff' rm -f '/sbin/diff' rm -f '/usr/bin/diff' rm -f '/usr/sbin/diff' and re-installed the package. Performing the steps below brings back the errors/warnings. Thanks for any help. Additional info: * package version(s) diffutils 3.8-1 ossec hids 3.6.0 Steps to reproduce: install latest diffutils package and run clear_stats -a rootcheck_control -u all syscheck_control -u all agent_control -r -u 000 |
This task depends upon
Closed by Jonas Witschel (diabonas)
Tuesday, 02 November 2021, 10:01 GMT
Reason for closing: Not a bug
Additional comments about closing: False positive
Tuesday, 02 November 2021, 10:01 GMT
Reason for closing: Not a bug
Additional comments about closing: False positive
What is the sha256sum of /usr/bin/diff that is being flagged?
Sorry, I don't know exactly know what I am supposed to test here... Can you please explain or post the exact command to check this.
Thanks
sha256sum /usr/bin/diff
cf08765335f033e7bbc4096a20661e5d3396cd39983de73901d9f2b592c4d996 /usr/bin/diff
diff !bash|^/bin/sh|file\.h|proc\.h||^/bin/.*sh!
removing |/dev/[^n] then rebuild ossec and retest does it still flag diff?
virustotal shows no matches for diff with that sha256sum [2]
[1] https://github.com/ossec/ossec-hids/blob/3.6.0/src/rootcheck/db/rootkit_trojans.txt#L39
[2] https://www.virustotal.com/gui/file/cf08765335f033e7bbc4096a20661e5d3396cd39983de73901d9f2b592c4d996
@loqs: Thanks. The file rootkit_trojans.txt is installed to this place on my system:
/var/ossec/etc/shared/rootkit_trojans.txt
Can I just change the entry there to test or do I have to rebuild ossec and make the change before?
I will test tomorrow as it is pretty late here.
Thanks for the help.
There have been previous false positives caused by that ruleset see [1][2][3][4].
[1] https://github.com/ossec/ossec-hids/issues/1720
[2] https://github.com/ossec/ossec-hids/issues/994
[3] https://github.com/ossec/ossec-hids/commit/12fbbe8398bffb85c1a66f00af6871b2a78115ca
[4] https://github.com/ossec/ossec-hids/commit/fa4a571036b07ecbdbba641146e16b4d10b324de
It was enough to change the line in /var/ossec/etc/shared/rootkit_trojans.txt and restart the scan as described above and the errors/warnings do no longer appear.
As a conclusion we are pretty sure it is a false positive, right?
What do you suggest? Filing an issue on github on the ossec hids project page?
Thanks for alle the help. Have a nice weekend.
https://github.com/ossec/ossec-hids/issues/2020