This morning I discovered this in my clamav report from one of our imap servers:
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: Unix.Trojan.MSShellcode-21 FOUND
I have looked at this script and it appears to be part of the nmap distribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts.
However, I none-the-less copied that file, removed namp, re-installed nmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical.
The question is: Do I have a problem here or a false positive?
I am not sure why nmap is on that host but evidently I had some reason last October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind.
On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne byrnejb@harte-lyne.ca wrote:
This morning I discovered this in my clamav report from one of our imap servers:
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: Unix.Trojan.MSShellcode-21 FOUND
I have looked at this script and it appears to be part of the nmap distribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts.
However, I none-the-less copied that file, removed namp, re-installed nmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical.
The question is: Do I have a problem here or a false positive?
I am not sure why nmap is on that host but evidently I had some reason last October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind.
If everything is rpm-installed you can say: rpm -q --whatprovides /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse and see what package installed it and; rpm -Vv packagename to verify that the files still match what the package installed.
(which, of course doesn't tell you if the files are trojans or not, just that they came from a presumably signed package and haven't been modified subsequently).
On Thu, April 16, 2015 10:09 am, Les Mikesell wrote:
On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne byrnejb@harte-lyne.ca
wrote:
This morning I discovered this in my clamav report from one of our imap
servers:
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: Unix.Trojan.MSShellcode-21 FOUND I have looked at this script and it appears to be part of the nmap
distribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts.
However, I none-the-less copied that file, removed namp, re-installed
nmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical.
The question is: Do I have a problem here or a false positive? I am not sure why nmap is on that host but evidently I had some reason
last October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind.
If everything is rpm-installed you can say: rpm -q --whatprovides
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse
and see what package installed it and; rpm -Vv packagename to verify that the files still match what the package installed.
(which, of course doesn't tell you if the files are trojans or not, just
that they came from a presumably signed package and haven't been modified subsequently).
I general:
As both comparing checksums, perms etc of files with rpm database (rpm -V ...) and just executing md5sum or sha1sum are executed locally on the suspect machine, all of these are not to be trusted. The best practice is to copy files over to trusted machine and run tests on the suspect file there. or better yet: mount drive from suspect machine on trusted machine. These would be general guidelines for forensics.
In particular (someone more knowledgeable will correct me if I'm wrong):
clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word) that can attack MS Windows. In general, these viruses can not do anything to Linux system. Therefore, if clamav detects as "infected" one of the files belonging to Linux distribution, it should be considered a "false positive". After all, it analyses/matches signatures of portions of file content. The only reason I run clamav on my Linux and Unix servers is to check e-mail, as some client machines can be Windows machines. Another portion of your filesystem you may want to scan for Windows viruses can be something dedicated to Windows machines, like SAMBA Windows share. Scanning the rest of your Linux of Unix machines does not make much sense for me.
Just my $0.02.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
[OT ALERT]
On 17/04/15 02:28, Valeri Galtsev wrote:
clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word)
I believe this 'rule' in English is misunderstood by many and as a general rule of thumb... tl;dr: Words from Old English that came into modern English, use 'Old English' pluralisation: eg, sheep, fish etc. words adopted from other languages into English before and after modern English established, use 'modern' pluralisation eg, tsunamis, octopuses.
<rant> As 'virus' was adopted into English for usage in relation to bugs, malwares etc. after the formation of modern English, the plural of computer virus is computer viruses. IMO, in a medical sense, the virus was first described in the 1890 - well after the formation of modern English so even then the plural of virus in English is viruses.
Reasoning: If one had to learn the pluralisation of every word adopted into modern English, then an English speaker would have to learn the pluralisation rules for far more than just English (see above re tsunami, octopus but also consider other non old English words such as emoji alligator mannequin boulevard cookie umbrella alcohol nadir etc.) For old English words, the pluralisation rules for them was set before modern English evolved into what we know today so those old rules still apply.
All in all, makes it a lot easier to know how to spell English plurals.
Some think opctopi is the plural of octopuses, when it wouldn't be because it's Greek and not Latin anyway...
To whit: the belief many have that the English plural of virus is virii, when in fact if anything it'd be afaik viri - which it isn't.
my 2c.
Pete.
[Authority: Platypuses, or Platypus - I believe the linguists are still out on that one - live near me ;) ]
On Thu, April 16, 2015 8:59 pm, Peter Lawler wrote:
[OT ALERT]
On 17/04/15 02:28, Valeri Galtsev wrote:
clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word)
I believe this 'rule' in English is misunderstood by many and as a general rule of thumb... tl;dr: Words from Old English that came into modern English, use 'Old English' pluralisation: eg, sheep, fish etc. words adopted from other languages into English before and after modern English established, use 'modern' pluralisation eg, tsunamis, octopuses.
<rant> As 'virus' was adopted into English for usage in relation to bugs, malwares etc. after the formation of modern English, the plural of computer virus is computer viruses. IMO, in a medical sense, the virus was first described in the 1890 - well after the formation of modern English so even then the plural of virus in English is viruses.
Good, my intention was just to cause a few smiles ;-) But being not native English speaker, I use it ("not native English speaker") as an excuse for being unable to pronounce anything. Even names (most smiles are if the excuse is used with respect with any NOT English name, say Chinese ;-)
Valeri
Reasoning: If one had to learn the pluralisation of every word adopted into modern English, then an English speaker would have to learn the pluralisation rules for far more than just English (see above re tsunami, octopus but also consider other non old English words such as emoji alligator mannequin boulevard cookie umbrella alcohol nadir etc.) For old English words, the pluralisation rules for them was set before modern English evolved into what we know today so those old rules still apply.
All in all, makes it a lot easier to know how to spell English plurals.
Some think opctopi is the plural of octopuses, when it wouldn't be because it's Greek and not Latin anyway...
To whit: the belief many have that the English plural of virus is virii, when in fact if anything it'd be afaik viri - which it isn't.
my 2c.
Pete.
[Authority: Platypuses, or Platypus - I believe the linguists are still out on that one - live near me ;) ] _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 17/04/15 12:31, Valeri Galtsev wrote:
But being not native English speaker, I use it ("not native English speaker")
Figured as much, which is why I mentioned it ;)
as an excuse for being unable to pronounce anything.
Not as if most English speakers can pronounce many English words.... ...
ttfn :)
P.
On Fri, April 17, 2015 12:50 am, Peter Lawler wrote:
On 17/04/15 12:31, Valeri Galtsev wrote:
But being not native English speaker, I use it ("not native English speaker")
Figured as much, which is why I mentioned it ;)
as an excuse for being unable to pronounce anything.
Not as if most English speakers can pronounce many English words.... ...
ttfn :)
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
But being not native English speaker, I use it ("not native English speaker")
Figured as much, which is why I mentioned it ;)
as an excuse for being unable to pronounce anything.
Not as if most English speakers can pronounce many English words.... ...
ttfn :)
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
bugger!
On Fri, 2015-04-17 at 08:00 -0500, Valeri Galtsev wrote:
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
English people (excludes USA people) should always try to speak simple, jargon-free, easily understandable and logically expressed English especially when conversing with non-English people.
I greatly admire the linguistic abilities of non-English people but deplore the dumbed-down abuses of my native language from the US of A.
A military plan has become a "road map" even when aircraft are involved provoking the inevitable question of "Do aircraft stop at traffic lights" !
"Back-up" has become either reverse, a saved copy, re-enforcements etc. Precision in language expression is essential for good understanding.
Comments off-list please.
On Fri, April 17, 2015 9:51 am, Always Learning wrote:
On Fri, 2015-04-17 at 08:00 -0500, Valeri Galtsev wrote:
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
English people (excludes USA people)
The first thing I learned what US people (before became one myself) take English pronunciation for was... Well, I asked US person at the conference: does he know this person (and gave the name of English person). The answer was:
"that guy with accent"
Isn't it funny to call correct English pronunciation an accent? ;-) (adding "lough track" so who don't feel it's funny still can lough here taking it as a joke ;-)
Valeri
should always try to speak simple, jargon-free, easily understandable and logically expressed English especially when conversing with non-English people.
I greatly admire the linguistic abilities of non-English people but deplore the dumbed-down abuses of my native language from the US of A.
A military plan has become a "road map" even when aircraft are involved provoking the inevitable question of "Do aircraft stop at traffic lights" !
"Back-up" has become either reverse, a saved copy, re-enforcements etc. Precision in language expression is essential for good understanding.
Comments off-list please.
-- Regards,
Paul. England, EU. Je suis Charlie.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 17/04/15 16:04, Valeri Galtsev wrote:
On Fri, April 17, 2015 9:51 am, Always Learning wrote:
On Fri, 2015-04-17 at 08:00 -0500, Valeri Galtsev wrote:
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
English people (excludes USA people)
The first thing I learned what US people (before became one myself) take English pronunciation for was... Well, I asked US person at the conference: does he know this person (and gave the name of English person). The answer was:
"that guy with accent"
Isn't it funny to call correct English pronunciation an accent? ;-) (adding "lough track" so who don't feel it's funny still can lough here taking it as a joke ;-)
Valeri
<snip>
Speaking as a Yorkshireman who has also lived on Tyneside: what is "correct English pronunciation"? There is probably a greater variation of accent within England than between "standard" English and "standard" American.
Martin
On 2015-04-17, J Martin Rushton martinrushton56@btinternet.com wrote:
On 17/04/15 16:04, Valeri Galtsev wrote:
On Fri, April 17, 2015 9:51 am, Always Learning wrote:
On Fri, 2015-04-17 at 08:00 -0500, Valeri Galtsev wrote:
It is amazing how much one can cripple what another person said by scissoring his phrases ;-)
English people (excludes USA people)
The first thing I learned what US people (before became one myself) take English pronunciation for was... Well, I asked US person at the conference: does he know this person (and gave the name of English person). The answer was:
"that guy with accent"
Isn't it funny to call correct English pronunciation an accent? ;-) (adding "lough track" so who don't feel it's funny still can lough here taking it as a joke ;-)
Valeri
<snip>
Speaking as a Yorkshireman who has also lived on Tyneside: what is "correct English pronunciation"? There is probably a greater variation of accent within England than between "standard" English and "standard" American.
Martin
Sorry, what was that? ;-)
On 2015-04-17, Peter Lawler centos@bleeter.id.au wrote:
[OT ALERT]
On 17/04/15 02:28, Valeri Galtsev wrote:
clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word)
I believe this 'rule' in English is misunderstood by many and as a general rule of thumb... tl;dr: Words from Old English that came into modern English, use 'Old English' pluralisation: eg, sheep, fish etc. words adopted from other languages into English before and after modern English established, use 'modern' pluralisation eg, tsunamis, octopuses.
<rant> As 'virus' was adopted into English for usage in relation to bugs, malwares etc. after the formation of modern English, the plural of computer virus is computer viruses. IMO, in a medical sense, the virus was first described in the 1890 - well after the formation of modern English so even then the plural of virus in English is viruses.
I agree entirely. Also relevant is the fact that the Latin word 'virus' does not admit a plural form.
Reasoning: If one had to learn the pluralisation of every word adopted into modern English, then an English speaker would have to learn the pluralisation rules for far more than just English (see above re tsunami, octopus but also consider other non old English words such as emoji alligator mannequin boulevard cookie umbrella alcohol nadir etc.) For old English words, the pluralisation rules for them was set before modern English evolved into what we know today so those old rules still apply.
All in all, makes it a lot easier to know how to spell English plurals.
Some think opctopi is the plural of octopuses, when it wouldn't be because it's Greek and not Latin anyway...
To whit: the belief many have that the English plural of virus is virii, when in fact if anything it'd be afaik viri - which it isn't.
The Latin word 'viri' translates as 'men', if I remember my school Latin correctly. :-)
my 2c.
Pete.
[Authority: Platypuses, or Platypus - I believe the linguists are still out on that one - live near me ;) ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 17/04/15 02:59, Peter Lawler wrote:
[OT ALERT]
On 17/04/15 02:28, Valeri Galtsev wrote:
clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word)
I believe this 'rule' in English is misunderstood by many and as a general rule of thumb... tl;dr: Words from Old English that came into modern English, use 'Old English' pluralisation: eg, sheep, fish etc. words adopted from other languages into English before and after modern English established, use 'modern' pluralisation eg, tsunamis, octopuses.
<rant> As 'virus' was adopted into English for usage in relation to bugs, malwares etc. after the formation of modern English, the plural of computer virus is computer viruses. IMO, in a medical sense, the virus was first described in the 1890 - well after the formation of modern English so even then the plural of virus in English is viruses.
<snip>
I know VAX computers are now a bit old fashioned, but why is the plural of VAX VAXen? I don't think DEC was founded before 1500 AD. :-o
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 16/04/15 16:01, James B. Byrne wrote:
This morning I discovered this in my clamav report from one of our imap servers:
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: Unix.Trojan.MSShellcode-21 FOUND
I have looked at this script and it appears to be part of the nmap distribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts.
However, I none-the-less copied that file, removed namp, re-installed nmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical.
The question is: Do I have a problem here or a false positive?
I am not sure why nmap is on that host but evidently I had some reason last October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind.
Hi,
I believe this is definitely a false positive.
Our mail server (CentOS 6.6) is reporting the very same "Trojan" on the very same file. I've already done our investigation and came to the conclusion it is a false positive based on a verification of files from RPMDB and also our intrusion detection system has not detected any changed files in /usr/share/ since before and after said "trojan" appeared.
Top that with two people seeing the same thing at the same time in two completely different machines/companies chances are high its a false positive.
Hope this helps set your mind at ease :-).
Kind Regards, Jake Shipton (JakeMS) Twitter: @CrazyLinuxNerd GPG Key: 0xE3C31D8F GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
-
Always Learning -
J Martin Rushton -
Jake Shipton -
James B. Byrne -
Les Mikesell -
Liam O'Toole -
Peter Lawler -
Valeri Galtsev -
Александр Кириллов