OSSEC slackware. tcpdump flagged as trojan. False Positive?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
OSSEC slackware. tcpdump flagged as trojan. False Positive?
Hello, first post.
I have a slackware 12.2 vm that I built 2 days ago. Just a few hours ago I installed OSSEC HIDS on this vm and it just emailed me some interesting results. Again, this install is just a few days old and is also behind a router with a custom iptables script blocking incoming connections except on 443 and 1194. Below is the suspicious alert I received:
Code:
Trojaned version of file '/usr/sbin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh' (Generic).
I immediately changed the root password and took away execute permissions for tcpdump, but if I was compromised once in the span of 2 days, it could happen again
Now, I have used OSSEC on my home network for quite a while and I get notifications all the time about files that I modify, but I have never had a rootcheck actually explicitly say that there existed a trojaned version of a file. Can anyone shed some light on what I should do at this point? How do I determine if this is a real threat or just a false positive? And if it's a real threat, I would love some insight as to how this might have happened.
Thank you so much in advance for any help anyone could provide.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?
Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?
A couple of options are available though. Download the official package from slackware.com via http://packages.slackware.it/package...486-1#download and install that one. It is the same one from your base Slackware install.
If your problem still exists, chances are that it is a false positive. Make sure you verify your checksums before and after the install.
The second option would be to compile tcpdump for yourself, that way you know for sure.
I have had similar issues with rkhunter and false positives.
Also, you could also contact the OSSEC crew to get more information on the issue.
Thank you for your reply. That matches my output as well, so unless we both have been compromised, I think it's a safe bet that this is a false positive.
I also opened a dialog on ossec's mailing list, linked below for others that might happen upon LQ with a similar question.
When I run "strings /usr/sbin/tcpdump" (I use SuSE), I don't see any of the strings that were reported. You checked that the binary was OK, but not whether the binary would be run. Try "which tcpdump", and "type tcpdump". ( Yes, you said that it was /usr/sbin/tcpdump that was reported )
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
