Hey, Yes, it seems a false positive. Can someone with this problem run
strings /bin/login | grep -E 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' That will show us which part of the signature is wrong. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, May 12, 2010 at 1:42 PM, grape <[email protected]> wrote: > I had the same alert as you did. Found the following thread: > http://art.ubuntuforums.org/showthread.php?t=1465667 > Hope it helps. > > Steve > > On May 3, 1:43 pm, Charlie <[email protected]> wrote: >> anyone else seeing this? >> >> Received From: Nyar->rootcheck >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> (rootcheck)." >> Portion of the log(s): >> >> Trojaned version of file '/bin/login' detected. Signature used: >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic). >
