NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Possibly trojan'd netstat?
Hi! New to this list but not lists or NetBSD in general.
Anyways....on to the story...
So I'm building up a 6.0 VM and downloaded a number of
packages from theftp.netbsd.org site.
(pub/pkgsrc/packages/x86_64/6.0/All)
After getting apache2.4 fixed I installed a number of
dependencies for Gallery1 and other apps that I just
downloaded and installed. The list is:
ImageMagick-6.7.9.10.tgz
ilmbase-1.0.2nb2.tgz
bash-2.05.2.7nb11.tgz
jasper-1.900.1nb6.tgz
bash-4.2nb2.tgz
jhead-2.96.tgz
bash-completion-1.0nb1.tgz
lcms-1.19nb1.tgz
bash-doc-2.05.2.tgz
lcms2-2.4.tgz
fftw-3.3.3.tgz
libf2c-20090201nb3.tgz
fftw2-2.1.5nb3.tgz
libltdl-2.2.6b.tgz
fftwf-3.3.2nb1.tgz
libwebp-0.2.1.tgz
fortune-strfile-0.tgz
netpbm-10.35.80nb4.tgz
fortunes-calvin-0.2.tgz
openexr-1.7.0.tgz
fortunes-de-0.20.tgz
tiff-4.0.3nb1.tgz
fortunes-futurama-0.2.tgz
unzip-6.0nb1.tgz
fortunes-h2g2-0.1.tgz
zip-3.0nb2.tgz
After all that was done and working (among other things) I
installed ossec. Upon reboot it gave me the following:
OSSEC HIDS Notification.
2013 Apr 22 21:14:45
Received From: (spinny) 192.168.1.153->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection
event (rootcheck)."
Portion of the log(s):
Trojaned version of file '/usr/bin/netstat' detected.
Signature used:
'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic).
--END OF NOTIFICATION
OSSEC HIDS Notification.
2013 Apr 22 21:14:46
Received From: (spinny) 192.168.1.153->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection
event (rootcheck)."
Portion of the log(s):
Files hidden inside directory '/dev/pts'. Link count does
not match number of files (2,1).
--END OF NOTIFICATION
Currently the system is not in production yet. I've
currently renamed and turned off execution of netstat:
spinny# mv netstat netstat-infected
spinny# chmod 000 netstat-infected
spinny# ls -la netstat*
---------- 1 root kmem 158761 Dec 21 05:25 netstat-infected
spinny#
I also have the host currently powered off. I'm going to power it on a little
later and get the checksum of the netstat file.
Please if someone is aware of this let me know if this is false alarm or not.
I mean I
can always blow the VM away and start from scratch but I'd
rather not.
--
Mike
If I wanted to create a universe from scratch
I guess I should have ordered the apple pie.
Home |
Main Index |
Thread Index |
Old Index