The latest version of GNU coreutils (8.2) contains a reference to /dev/ null in /bin/du, which is triggering a trojan alert with OSSEC 2.3. The rule which causes this is in etc/shared/rootkit_trojans.txt:
du !/dev|w0rm|/prof|file\.h! The matching pattern in /bin/du: [r...@mumble ~]# strings /bin/du | egrep '/dev|w0rm|/prof|file\.h' /dev/null This binary of du is from Arch Linux. I've rebuilt coreutils 8.2 from source on another machine and this string does appear in the binary. Since other distributions are likely to upgrade coreutils soon, it would probably be a good idea to relax this rule. Thanks, Brian
