LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-13-2009, 08:12 PM   #1
thefunnyman
LQ Newbie
 
Registered: Nov 2007
Location: Arkansas
Distribution: ubuntu 8.10, slackware
Posts: 3

Rep: Reputation: 0
OSSEC slackware. tcpdump flagged as trojan. False Positive?


Hello, first post.

I have a slackware 12.2 vm that I built 2 days ago. Just a few hours ago I installed OSSEC HIDS on this vm and it just emailed me some interesting results. Again, this install is just a few days old and is also behind a router with a custom iptables script blocking incoming connections except on 443 and 1194. Below is the suspicious alert I received:

Code:
Trojaned version of file '/usr/sbin/tcpdump' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^b]|^/bin/.*sh' (Generic).
I immediately changed the root password and took away execute permissions for tcpdump, but if I was compromised once in the span of 2 days, it could happen again

Now, I have used OSSEC on my home network for quite a while and I get notifications all the time about files that I modify, but I have never had a rootcheck actually explicitly say that there existed a trojaned version of a file. Can anyone shed some light on what I should do at this point? How do I determine if this is a real threat or just a false positive? And if it's a real threat, I would love some insight as to how this might have happened.

Thank you so much in advance for any help anyone could provide.

thefunnyman
 
Old 02-13-2009, 08:23 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?
 
Old 02-13-2009, 08:38 PM   #3
thefunnyman
LQ Newbie
 
Registered: Nov 2007
Location: Arkansas
Distribution: ubuntu 8.10, slackware
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by chort View Post
Just a wild guess (I'm not familiar with OSSEC), but maybe tcpdump on Slackware is actually a shell script wrapper? What's the output of:
$ file /usr/sbin/tcpdump
?
Thanks for the reply. Below is the output.
Code:
/usr/sbin/tcpdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Thanks for the help again.
 
Old 02-13-2009, 11:04 PM   #4
penfoldTHIS
LQ Newbie
 
Registered: Mar 2006
Location: Arkansas,US
Distribution: Slackware 12.1
Posts: 7

Rep: Reputation: 0
Quote:
Originally Posted by thefunnyman View Post
Thanks for the reply. Below is the output.
Code:
/usr/sbin/tcpdump: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
Thanks for the help again.
According to http://www.ossec.net/wiki/index.php/Supported_os , Slackware 12.2 isn't officially supported.

A couple of options are available though. Download the official package from slackware.com via http://packages.slackware.it/package...486-1#download and install that one. It is the same one from your base Slackware install.

If your problem still exists, chances are that it is a false positive. Make sure you verify your checksums before and after the install.

The second option would be to compile tcpdump for yourself, that way you know for sure.

I have had similar issues with rkhunter and false positives.

Also, you could also contact the OSSEC crew to get more information on the issue.
 
Old 02-14-2009, 05:35 AM   #5
GazL
Senior Member
 
Registered: May 2008
Posts: 3,502

Rep: Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024Reputation: 1024
this is from my current 12.2 box...

Code:
bash-3.1$ md5sum /usr/sbin/tcpdump
46a8be0e28f561dceb0416e6bfa851c2  /usr/sbin/tcpdump
Does it match yours?
 
Old 02-14-2009, 01:22 PM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Here's mine:

Code:
ron@starchild:~$ md5sum /usr/sbin/tcpdump 
9fbf6996c1d2bfb85bb4887bac5e655a  /usr/sbin/tcpdump

ron@starchild:~$ cat /etc/slackware-version 
Slackware 12.0.0

ron@starchild:~$ ls -l /var/log/packages/ | grep tcpdump
-rw-r--r-- 1 root root   1499 2008-10-09 18:18 tcpdump-3.9.8-i486-1
EDIT -- my bad...you said v12.2. I'm running v12.0. IMO, you've got a false positive. check the sum of the latest file from the repository

Last edited by unixfool; 02-14-2009 at 01:23 PM.
 
Old 02-14-2009, 06:27 PM   #7
thefunnyman
LQ Newbie
 
Registered: Nov 2007
Location: Arkansas
Distribution: ubuntu 8.10, slackware
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by GazL View Post
this is from my current 12.2 box...

Code:
bash-3.1$ md5sum /usr/sbin/tcpdump
46a8be0e28f561dceb0416e6bfa851c2  /usr/sbin/tcpdump
Does it match yours?
Thank you for your reply. That matches my output as well, so unless we both have been compromised, I think it's a safe bet that this is a false positive.

I also opened a dialog on ossec's mailing list, linked below for others that might happen upon LQ with a similar question.

http://groups.google.com/group/ossec...9758f65a4f9ca6

Thanks for the help and suggestions you all have given. I very much like the wealth of knowledge and friendliness of the people on this site.

thefunnyman
 
Old 02-19-2009, 02:03 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
When I run "strings /usr/sbin/tcpdump" (I use SuSE), I don't see any of the strings that were reported. You checked that the binary was OK, but not whether the binary would be run. Try "which tcpdump", and "type tcpdump". ( Yes, you said that it was /usr/sbin/tcpdump that was reported )
 
  


Reply

Tags
slackware, tcpdump, trojan


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache / mod_security: fixing false positive 950013 fryzer Linux - Server 5 05-06-2008 11:30 AM
blocking false ssh users with ossec txm123 Linux - Newbie 2 07-31-2007 03:51 PM
Is this a false positive....A/V question cbjhawks Linux - Security 4 02-21-2006 07:50 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 10:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 09:06 AM


All times are GMT -5. The time now is 09:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration