** Alert 1267693138.538: mail - ossec,rootcheck,
2010 Mar 04 10:58:58 sega->rootcheck
Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).'
Src IP: (none)
User: (none)
Trojaned version of file '/bin/du' detected. Signature used: '/dev|w0rm|/prof|
file\.h' (Generic).
I received this alert immediately after OSSEC started, the system has just
been recently installed... like a couple of days only.... it was protected by
a fairly good firewall ruleset and strong passwords, etc. Is it just a false
positive or is /bin/du really got trojaned that quick?
--
Ivan Lezhnjov Jr.
Europe, Ukraine, Simferopol
+----------------------------------------------------------------------+
Key ID 0x5811D90C
Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C
Use GPG Exercise Your Right To Privacy
