Hi Ivan, What distribution are you using? Can you run the followng command:
# strings /bin/du |grep -E '/dev|w0rm|/prof|file\.h' This will help us understand if it is a false positive or not.. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Mar 4, 2010 at 5:02 AM, Ivan Lezhnjov Jr. <[email protected]> wrote: > ** Alert 1267693138.538: mail - ossec,rootcheck, > 2010 Mar 04 10:58:58 sega->rootcheck > Rule: 510 (level 7) -> 'Host-based anomaly detection event (rootcheck).' > Src IP: (none) > User: (none) > Trojaned version of file '/bin/du' detected. Signature used: '/dev|w0rm|/prof| > file\.h' (Generic). > > I received this alert immediately after OSSEC started, the system has just > been recently installed... like a couple of days only.... it was protected by > a fairly good firewall ruleset and strong passwords, etc. Is it just a false > positive or is /bin/du really got trojaned that quick? > > -- > > Ivan Lezhnjov Jr. > > Europe, Ukraine, Simferopol > > +----------------------------------------------------------------------+ > > Key ID 0x5811D90C > Key Fingerprint 2A52 5C8C 38BE C04F D8DE A169 19E2 E49A 5811 D90C > Use GPG Exercise Your Right To Privacy >
