Hi Charlie, Thanks! Just fixed on the latest snapshot:
http://www.ossec.net/files/snapshots/ Can you give it a try? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Fri, May 14, 2010 at 3:58 PM, Charlie <[email protected]> wrote: > :~$ strings /bin/login | grep -E > 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' > /bin/bash > /bin/bash > > On Fri, May 14, 2010 at 12:51 PM, Daniel Cid <[email protected]> wrote: >> >> Hey, >> >> Yes, it seems a false positive. Can someone with this problem run >> >> strings /bin/login | grep -E >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' >> >> That will show us which part of the signature is wrong. >> >> Thanks, >> >> -- >> Daniel B. Cid >> dcid ( at ) ossec.net >> >> On Wed, May 12, 2010 at 1:42 PM, grape <[email protected]> wrote: >> > I had the same alert as you did. Found the following thread: >> > http://art.ubuntuforums.org/showthread.php?t=1465667 >> > Hope it helps. >> > >> > Steve >> > >> > On May 3, 1:43 pm, Charlie <[email protected]> wrote: >> >> anyone else seeing this? >> >> >> >> Received From: Nyar->rootcheck >> >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >> >> (rootcheck)." >> >> Portion of the log(s): >> >> >> >> Trojaned version of file '/bin/login' detected. Signature used: >> >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic). >> > > >
