Re: ClamAV reports a trojan

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16/04/15 16:01, James B. Byrne wrote:
> This morning I discovered this in my clamav report from one of our 
> imap servers:
> 
> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: 
> Unix.Trojan.MSShellcode-21 FOUND
> 
> 
> I have looked at this script and it appears to be part of the nmap 
> distribution.  It actually tests for irc backdoors.  IRC is not
> used here and its ports are blocked by default both at the gateway
> and on all internal hosts.
> 
> However, I none-the-less copied that file, removed namp,
> re-installed nmap from base, and diffed the file of the same name
> installed with nmap against the copy.  They are identical.
> 
> The question is: Do I have a problem here or a false positive?
> 
> I am not sure why nmap is on that host but evidently I had some
> reason last October to use it from that server.  In any case I am
> going to remove it for good, or at least until the reason I had it
> there reoccurs or is recalled to mind.
> 

Hi,

I believe this is definitely a false positive.

Our mail server (CentOS 6.6) is reporting the very same "Trojan" on
the very same file. I've already done our investigation and came to
the conclusion it is a false positive based on a verification of files
from RPMDB and also our intrusion detection system has not detected
any changed files in /usr/share/ since before and after said "trojan"
appeared.

Top that with two people seeing the same thing at the same time in two
completely different machines/companies chances are high its a false
positive.

Hope this helps set your mind at ease :-).

Kind Regards,
Jake Shipton (JakeMS)
Twitter: @CrazyLinuxNerd
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJVMnVaAAoJEB0Lpc/jwx2P7s4H/2V++W499w2fAZPM8kjnKi9b
EBS0vl/oYAOVgzc3lo4y0CbY9GQtQ3258tISCeMGGOR/OjPYl3BqINsS1Qf0FGSw
FzNHWrlgas/bZO/HbTAzWbtxknRKIJiiYfBHqLL6s/r9WpOMsBvA2eVpkXsEZZoz
AWC0CFcrVsh7+Agqk46GyIsDn8ZpT+IymwMp+gKiqBv8e4uG5WjE8YRGBybscJgk
DAPZ9ZaSJpJNFkJ0tpAAgNkPO96lFv6l43nnm/IyTfKtd/1rWJ9ejb0ZjtZnP6Dr
xWdNyTjK39euHiVBP3pZ6ex8VKthph6b9FeferoQaGFxGvixk7epIihPbeEYqbg=
=lowP
-----END PGP SIGNATURE-----
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux