It should be fixed on the latest snapshot here: https://bitbucket.org/dcid/ossec-hids/overview
Can you try it out and see if it works? On Tue, Apr 24, 2012 at 4:25 PM, Eero Volotinen <[email protected]> wrote: > 2012/4/24 Mike Sievers <[email protected]>: >> Hi, >> >> ossec version is 2.6 >> md5sum: 5a8582fbad878819fdcc598d15902b57 /sbin/init >> (dont´t know yet if it is ok) >> >> Mike >> >> >> 2012/4/23 dan (ddp) <[email protected]> >> >>> What version of OSSEC? >>> Does the md5 or sha for /sbin/init match what it should? >>> >>> On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers >>> <[email protected]> wrote: >>> > Hi List, >>> > >>> > on my opensuse 12.1 I found: >>> > Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' >>> > (Suckit rootkit). >>> > I hope this is false positive, isn´t it? >>> > And some alerts like this: >>> > File '/dev/.sysconfig/network/config-lo' present on /dev. Possible >>> > hidden >>> > file. >>> > >>> > ??? >> >> > > How about checking from package manager: > > rpm -qf /sbin/init (what provides that package) > rpm --verify package-name > > example from centos 6.2 > > [root@xxx ~]# rpm -qf /sbin/init > upstart-0.6.5-10.el6.x86_64 > [root@xx ~]# rpm -V upstart > > > > -- > Eero
