Hi,
I have been receiving the following alert:
Host-based anomaly detection event (rootcheck).
Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic).
I have tested in the server the following command:
strings /bin/grep | grep -E 'bash|givemer|/dev/'
With the result:
/dev/null
Debsum result:
debsums grep
/bin/egrep OK
/bin/fgrep OK
/bin/grep OK
/usr/bin/rgrep OK
/usr/share/doc/grep/copyright OK
/usr/share/locale/de/LC_MESSAGES/grep.mo OK
/usr/share/locale/es/LC_MESSAGES/grep.mo OK
/usr/share/locale/fr/LC_MESSAGES/grep.mo OK
/usr/share/locale/ja/LC_MESSAGES/grep.mo OK
/usr/share/locale/zh_CN/LC_MESSAGES/grep.mo OK
/usr/share/locale/zh_TW/LC_MESSAGES/grep.mo OK
I have been looking around worried that may be a hack but so far chkrootkit and other tests doesn't show this positive.
I was wondering if this may be a false positive from ossec side.
Thanks in advance!
Hi @KALRONG,
this is a very interesting issue, since Rootcheck and your tests agree that there is a suspicious string in the binary file, but debsums verifies correctly the file. We followed your steps and got the same result.
We looked into the Grep repository at git.savannah.gnu.org/cgit/grep.git and found the /dev/null string at file grep.c. That text was introduced on May 2nd and was released at version 2.26.
We found that Ubuntu 16.10 has Grep 2.25 (the last version without the string). Could you tell us what OS you're using or how you installed Grep? So we could confirm this issue before fixing it.
Thank you very much for your feedback.
Best regards.
Hi,
Im using Debian Stretch with the latest updates, just checked and I have version 2.26:
grep --version
grep (GNU grep) 2.26
Copyright (C) 2016 Free Software Foundation, Inc.
Licencia GPLv3+: GPL de GNU versi贸n 3 o posterior
http://gnu.org/licenses/gpl.html
Esto es software libre: usted es libre de cambiarlo y redistribuirlo.
No hay NINGUNA GARANT脥A, hasta donde permite la ley.
Escrito por Mike Haertel y otros, v茅ase http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS.
And the installation of the package was due to the usual apt-get update.
Hope it helps!
Hi,
we found that Rootcheck allows only black-lists for trojan rootkit detection, that makes this issue so complex to fix.
The best way to solve this problem would be to implement a white-list, but for now you could modify this line: https://github.com/wazuh/wazuh/blob/master/src/rootcheck/db/rootkit_trojans.txt#L41 and remove the /dev/ part.
Another way is to write it on another line and silence the alert, following theese steps:
File /var/ossec/etc/shared/rootkit_trojans.txt:
grep !bash|givemer!
grep !/dev/!
Then, create a local rule at /var/ossec/rules/local_rules.xml like this one:
<rule id="100001" level="0">
<if_sid>510</if_sid>
<match>Signature used: '/dev/'</match>
<description>Ignoring string /dev/.</description>
</rule>
We'll add the implementation of a white-list for Rootcheck trojan detection to our roadmap and extend the file syntax to ignore a specific string at a file.
Thank you very much again.
Regards.
Thanks for the information :)
Hi,
Looks like this issues is back on the code.
Most helpful comment
Hi,
Looks like this issues is back on the code.