Check out this look like this is false positive

http://forums.gentoo.org/viewtopic-t-326062-highlight-suckit.html




On Tue, Mar 1, 2011 at 3:08 PM, satish patel <[email protected]> wrote:
> Sorry vmg35 is ubuntu 10.x machine
>
>
>
>
> On Tue, Mar 1, 2011 at 3:06 PM, satish patel <[email protected]> wrote:
>> I have two identical system and i cross check with that system and i
>> found following result.
>>
>> Trojan infected system (what is this deleted ?)
>>
>> root@vmg035:/usr/local/src/ossec# cat /proc/1/maps
>> 7f6c7d145000-7f6c7d151000 r-xp 00000000 fb:01 6554
>>  /lib/libnss_files-2.11.1.so (deleted)
>> 7f6c7d151000-7f6c7d350000 ---p 0000c000 fb:01 6554
>>  /lib/libnss_files-2.11.1.so (deleted)
>> 7f6c7d350000-7f6c7d351000 r--p 0000b000 fb:01 6554
>>  /lib/libnss_files-2.11.1.so (deleted)
>> 7f6c7d351000-7f6c7d352000 rw-p 0000c000 fb:01 6554
>>  /lib/libnss_files-2.11.1.so (deleted)
>> 7f6c7d352000-7f6c7d35c000 r-xp 00000000 fb:01 6556
>>  /lib/libnss_nis-2.11.1.so (deleted)
>> 7f6c7d35c000-7f6c7d55b000 ---p 0000a000 fb:01 6556
>>  /lib/libnss_nis-2.11.1.so (deleted)
>> 7f6c7d55b000-7f6c7d55c000 r--p 00009000 fb:01 6556
>>  /lib/libnss_nis-2.11.1.so (deleted)
>> 7f6c7d55c000-7f6c7d55d000 rw-p 0000a000 fb:01 6556
>>  /lib/libnss_nis-2.11.1.so (deleted)
>> 7f6c7d55d000-7f6c7d574000 r-xp 00000000 fb:01 6551
>>  /lib/libnsl-2.11.1.so (deleted)
>> 7f6c7d574000-7f6c7d773000 ---p 00017000 fb:01 6551
>>  /lib/libnsl-2.11.1.so (deleted)
>> 7f6c7d773000-7f6c7d774000 r--p 00016000 fb:01 6551
>>  /lib/libnsl-2.11.1.so (deleted)
>> 7f6c7d774000-7f6c7d775000 rw-p 00017000 fb:01 6551
>>  /lib/libnsl-2.11.1.so (deleted)
>> 7f6c7d775000-7f6c7d777000 rw-p 00000000 00:00 0
>> 7f6c7d777000-7f6c7d77f000 r-xp 00000000 fb:01 6552
>>  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
>> 7f6c7d77f000-7f6c7d97e000 ---p 00008000 fb:01 6552
>>  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
>> 7f6c7d97e000-7f6c7d97f000 r--p 00007000 fb:01 6552
>>  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
>> 7f6c7d97f000-7f6c7d980000 rw-p 00008000 fb:01 6552
>>  /lib/libnss_compat-2.11.1.so.dpkg-new (deleted)
>>
>>
>> other identical system
>>
>> [root@test035 ~]# cat /proc/1/maps
>> 005c4000-005d1000 r-xp 00000000 fd:00 869076     /lib/libsepol.so.1
>> 005d1000-005d2000 rw-p 0000c000 fd:00 869076     /lib/libsepol.so.1
>> 005d2000-005da000 rw-p 005d2000 00:00 0
>> 00665000-00672000 r-xp 00000000 fd:00 869075     /lib/libselinux.so.1
>> 00672000-00673000 rw-p 0000d000 fd:00 869075     /lib/libselinux.so.1
>> 00891000-008a7000 r-xp 00000000 fd:00 869014     /lib/ld-2.3.4.so
>> 008a7000-008a8000 r--p 00015000 fd:00 869014     /lib/ld-2.3.4.so
>> 008a8000-008a9000 rw-p 00016000 fd:00 869014     /lib/ld-2.3.4.so
>> 00987000-00988000 r-xp 00000000 fd:00 869031     /lib/libcwait.so
>> 00988000-00989000 rw-p 00000000 fd:00 869031     /lib/libcwait.so
>> 00adb000-00c05000 r-xp 00000000 fd:00 902502     /lib/tls/libc-2.3.4.so
>> 00c05000-00c07000 r--p 00129000 fd:00 902502     /lib/tls/libc-2.3.4.so
>> 00c07000-00c09000 rw-p 0012b000 fd:00 902502     /lib/tls/libc-2.3.4.so
>> 00c09000-00c0b000 rw-p 00c09000 00:00 0
>> 08048000-0804f000 r-xp 00000000 fd:00 1613974    /sbin/init
>> 0804f000-08050000 rw-p 00007000 fd:00 1613974    /sbin/init
>> 0930a000-0932b000 rw-p 0930a000 00:00 0
>> b7f74000-b7f76000 rw-p b7f74000 00:00 0
>> bfe13000-c0000000 rw-p bfe13000 00:00 0
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Mar 1, 2011 at 3:00 PM, Castle, Shane <[email protected]> 
>> wrote:
>>> I'd cross-check with one of the rootkit checking tools but yes, kinda
>>> looks like you've been pwned.
>>>
>>> --
>>> Shane Castle
>>> Data Security Mgr, Boulder County IT
>>> CISSP GSEC GCIH
>>>
>>>
>>> -----Original Message-----
>>> From: [email protected] [mailto:[email protected]]
>>> On Behalf Of satish patel
>>> Sent: Tuesday, March 01, 2011 12:53
>>> To: [email protected]
>>> Subject: [ossec-list] Trojan found on Redhat AS4
>>>
>>> I have just install OSSEC-2.5.1 version on one of Redhat AS4 linux
>>> machine and i got following message. What the hack is this ? is this
>>> real trojan ?
>>>
>>>
>>> Received From: vmg035->rootcheck
>>> Rule: 510 fired (level 7) -> "Host-based anomaly detection event
>>> (rootcheck)."
>>> Portion of the log(s):
>>>
>>> Trojaned version of file '/proc/1/maps' detected. Signature used:
>>> 'init.' (Suckit rootkit).
>>>
>>> -Satish
>>>
>>
>

Reply via email to