Hi Martin, Can you run:
grep -E 'bash|/dev/ida|/dev/' /sbin/hdparm So we can see what is matching on that binary. Thanks for the report. -- Daniel B. Cid dcid ( at ) ossec.net On Sun, Mar 30, 2008 at 5:14 AM, Martin West <[EMAIL PROTECTED]> wrote: > > I just upgraded my debian system > from dpkg.log ... > > 2008-03-29 08:58:50 status half-configured hdparm 8.6-1 > 2008-03-29 08:58:51 status installed hdparm 8.6-1 > > then had this alert - Im assuming this is a false postive due to the new > version. > > OSSEC HIDS Notification. > 2008 Mar 29 23:19:03 > > Received From: thecla2->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Trojaned version of file '/sbin/hdparm' detected. Signature used: > 'bash|/dev/ida|/dev/' (Generic). > > > > --END OF NOTIFICATION > > > -- > regards > Martin West > 07879 680096 > >
