Check out this look like this is false positive http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html
On Tue, Mar 1, 2011 at 3:08 PM, satish patel <[email protected]> wrote: > Sorry vmg35 is ubuntu 10.x machine > > > > > On Tue, Mar 1, 2011 at 3:06 PM, satish patel <[email protected]> wrote: >> I have two identical system and i cross check with that system and i >> found following result. >> >> Trojan infected system (what is this deleted ?) >> >> root@vmg035:/usr/local/src/ossec# cat /proc/1/maps >> 7f6c7d145000-7f6c7d151000 r-xp 00000000 fb:01 6554 >> /lib/libnss_files-2.11.1.so (deleted) >> 7f6c7d151000-7f6c7d350000 ---p 0000c000 fb:01 6554 >> /lib/libnss_files-2.11.1.so (deleted) >> 7f6c7d350000-7f6c7d351000 r--p 0000b000 fb:01 6554 >> /lib/libnss_files-2.11.1.so (deleted) >> 7f6c7d351000-7f6c7d352000 rw-p 0000c000 fb:01 6554 >> /lib/libnss_files-2.11.1.so (deleted) >> 7f6c7d352000-7f6c7d35c000 r-xp 00000000 fb:01 6556 >> /lib/libnss_nis-2.11.1.so (deleted) >> 7f6c7d35c000-7f6c7d55b000 ---p 0000a000 fb:01 6556 >> /lib/libnss_nis-2.11.1.so (deleted) >> 7f6c7d55b000-7f6c7d55c000 r--p 00009000 fb:01 6556 >> /lib/libnss_nis-2.11.1.so (deleted) >> 7f6c7d55c000-7f6c7d55d000 rw-p 0000a000 fb:01 6556 >> /lib/libnss_nis-2.11.1.so (deleted) >> 7f6c7d55d000-7f6c7d574000 r-xp 00000000 fb:01 6551 >> /lib/libnsl-2.11.1.so (deleted) >> 7f6c7d574000-7f6c7d773000 ---p 00017000 fb:01 6551 >> /lib/libnsl-2.11.1.so (deleted) >> 7f6c7d773000-7f6c7d774000 r--p 00016000 fb:01 6551 >> /lib/libnsl-2.11.1.so (deleted) >> 7f6c7d774000-7f6c7d775000 rw-p 00017000 fb:01 6551 >> /lib/libnsl-2.11.1.so (deleted) >> 7f6c7d775000-7f6c7d777000 rw-p 00000000 00:00 0 >> 7f6c7d777000-7f6c7d77f000 r-xp 00000000 fb:01 6552 >> /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) >> 7f6c7d77f000-7f6c7d97e000 ---p 00008000 fb:01 6552 >> /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) >> 7f6c7d97e000-7f6c7d97f000 r--p 00007000 fb:01 6552 >> /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) >> 7f6c7d97f000-7f6c7d980000 rw-p 00008000 fb:01 6552 >> /lib/libnss_compat-2.11.1.so.dpkg-new (deleted) >> >> >> other identical system >> >> [root@test035 ~]# cat /proc/1/maps >> 005c4000-005d1000 r-xp 00000000 fd:00 869076 /lib/libsepol.so.1 >> 005d1000-005d2000 rw-p 0000c000 fd:00 869076 /lib/libsepol.so.1 >> 005d2000-005da000 rw-p 005d2000 00:00 0 >> 00665000-00672000 r-xp 00000000 fd:00 869075 /lib/libselinux.so.1 >> 00672000-00673000 rw-p 0000d000 fd:00 869075 /lib/libselinux.so.1 >> 00891000-008a7000 r-xp 00000000 fd:00 869014 /lib/ld-2.3.4.so >> 008a7000-008a8000 r--p 00015000 fd:00 869014 /lib/ld-2.3.4.so >> 008a8000-008a9000 rw-p 00016000 fd:00 869014 /lib/ld-2.3.4.so >> 00987000-00988000 r-xp 00000000 fd:00 869031 /lib/libcwait.so >> 00988000-00989000 rw-p 00000000 fd:00 869031 /lib/libcwait.so >> 00adb000-00c05000 r-xp 00000000 fd:00 902502 /lib/tls/libc-2.3.4.so >> 00c05000-00c07000 r--p 00129000 fd:00 902502 /lib/tls/libc-2.3.4.so >> 00c07000-00c09000 rw-p 0012b000 fd:00 902502 /lib/tls/libc-2.3.4.so >> 00c09000-00c0b000 rw-p 00c09000 00:00 0 >> 08048000-0804f000 r-xp 00000000 fd:00 1613974 /sbin/init >> 0804f000-08050000 rw-p 00007000 fd:00 1613974 /sbin/init >> 0930a000-0932b000 rw-p 0930a000 00:00 0 >> b7f74000-b7f76000 rw-p b7f74000 00:00 0 >> bfe13000-c0000000 rw-p bfe13000 00:00 0 >> >> >> >> >> >> >> >> On Tue, Mar 1, 2011 at 3:00 PM, Castle, Shane <[email protected]> >> wrote: >>> I'd cross-check with one of the rootkit checking tools but yes, kinda >>> looks like you've been pwned. >>> >>> -- >>> Shane Castle >>> Data Security Mgr, Boulder County IT >>> CISSP GSEC GCIH >>> >>> >>> -----Original Message----- >>> From: [email protected] [mailto:[email protected]] >>> On Behalf Of satish patel >>> Sent: Tuesday, March 01, 2011 12:53 >>> To: [email protected] >>> Subject: [ossec-list] Trojan found on Redhat AS4 >>> >>> I have just install OSSEC-2.5.1 version on one of Redhat AS4 linux >>> machine and i got following message. What the hack is this ? is this >>> real trojan ? >>> >>> >>> Received From: vmg035->rootcheck >>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event >>> (rootcheck)." >>> Portion of the log(s): >>> >>> Trojaned version of file '/proc/1/maps' detected. Signature used: >>> 'init.' (Suckit rootkit). >>> >>> -Satish >>> >> >
