LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   OSSEC slackware. tcpdump flagged as trojan. False Positive? (http://www.linuxquestions.org/questions/linux-security-4/ossec-slackware-tcpdump-flagged-as-trojan-false-positive-704530/)

thefunnyman 02-13-2009 07:12 PM

OSSEC slackware. tcpdump flagged as trojan. False Positive?
 
Hello, first post.

I have a slackware 12.2 vm that I built 2 days ago. Just a few hours ago I installed OSSEC HIDS on this vm and it just emailed me some interesting results. Again, this install is just a few days old and is also behind a router with a custom iptables script blocking incoming connections except on 443 and 1194. Below is the suspicious alert I received:

Code:

Trojaned version of file '/usr/sbin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh' (Generic).
I immediately changed the root password and took away execute permissions for tcpdump, but if I was compromised once in the span of 2 days, it could happen again

Now, I have used OSSEC on my home network for quite a while and I get notifications all the time about files that I modify, but I have never had a rootcheck actually explicitly say that there existed a trojaned version of a file. Can anyone shed some light on what I should do at this point? How do I determine if this is a real threat or just a false positive? And if it's a real threat, I would love some insight as to how this might have happened.

Thank you so much in advance for any help anyone could provide.

thefunnyman

chort 02-13-2009 07:23 PM

Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?

thefunnyman 02-13-2009 07:38 PM

Quote:

Originally Posted by chort (Post 3442860)
Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?

Thanks for the reply. Below is the output.
Code:

/usr/sbin/tcpdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Thanks for the help again.

penfoldTHIS 02-13-2009 10:04 PM

Quote:

Originally Posted by thefunnyman (Post 3442864)
Thanks for the reply. Below is the output.
Code:

/usr/sbin/tcpdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Thanks for the help again.

According to http://www.ossec.net/wiki/index.php/Supported_os , Slackware 12.2 isn't officially supported.

A couple of options are available though. Download the official package from slackware.com via http://packages.slackware.it/package...486-1#download and install that one. It is the same one from your base Slackware install.

If your problem still exists, chances are that it is a false positive. Make sure you verify your checksums before and after the install.

The second option would be to compile tcpdump for yourself, that way you know for sure.

I have had similar issues with rkhunter and false positives.

Also, you could also contact the OSSEC crew to get more information on the issue.

GazL 02-14-2009 04:35 AM

this is from my current 12.2 box...

Code:

bash-3.1$ md5sum /usr/sbin/tcpdump
46a8be0e28f561dceb0416e6bfa851c2  /usr/sbin/tcpdump

Does it match yours?

unixfool 02-14-2009 12:22 PM

Here's mine:

Code:

ron@starchild:~$ md5sum /usr/sbin/tcpdump
9fbf6996c1d2bfb85bb4887bac5e655a  /usr/sbin/tcpdump

ron@starchild:~$ cat /etc/slackware-version
Slackware 12.0.0

ron@starchild:~$ ls -l /var/log/packages/ | grep tcpdump
-rw-r--r-- 1 root root  1499 2008-10-09 18:18 tcpdump-3.9.8-i486-1

EDIT -- my bad...you said v12.2. I'm running v12.0. IMO, you've got a false positive. check the sum of the latest file from the repository

thefunnyman 02-14-2009 05:27 PM

Quote:

Originally Posted by GazL (Post 3443123)
this is from my current 12.2 box...

Code:

bash-3.1$ md5sum /usr/sbin/tcpdump
46a8be0e28f561dceb0416e6bfa851c2  /usr/sbin/tcpdump

Does it match yours?

Thank you for your reply. That matches my output as well, so unless we both have been compromised, I think it's a safe bet that this is a false positive.

I also opened a dialog on ossec's mailing list, linked below for others that might happen upon LQ with a similar question.

http://groups.google.com/group/ossec...9758f65a4f9ca6

Thanks for the help and suggestions you all have given. I very much like the wealth of knowledge and friendliness of the people on this site.

thefunnyman

jschiwal 02-19-2009 01:03 PM

When I run "strings /usr/sbin/tcpdump" (I use SuSE), I don't see any of the strings that were reported. You checked that the binary was OK, but not whether the binary would be run. Try "which tcpdump", and "type tcpdump". ( Yes, you said that it was /usr/sbin/tcpdump that was reported )


All times are GMT -5. The time now is 03:39 PM.