[CentOS] ClamAV reports a trojan

Thu Apr 16 15:09:42 UTC 2015
Les Mikesell <lesmikesell at gmail.com>

On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> This morning I discovered this in my clamav report from one of our
> imap servers:
>
> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse:
> Unix.Trojan.MSShellcode-21 FOUND
>
>
> I have looked at this script and it appears to be part of the nmap
> distribution.  It actually tests for irc backdoors.  IRC is not used
> here and its ports are blocked by default both at the gateway and on
> all internal hosts.
>
> However, I none-the-less copied that file, removed namp, re-installed
> nmap from base, and diffed the file of the same name installed with
> nmap against the copy.  They are identical.
>
> The question is: Do I have a problem here or a false positive?
>
> I am not sure why nmap is on that host but evidently I had some reason
> last October to use it from that server.  In any case I am going to
> remove it for good, or at least until the reason I had it there
> reoccurs or is recalled to mind.

If everything is rpm-installed you can say:
rpm -q --whatprovides  /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse
and see what package installed it and;
rpm -Vv packagename
to verify that the files still match what the package installed.

(which, of course doesn't tell you if the files are trojans or not,
just that they came from a presumably signed package and haven't been
modified subsequently).

-- 
   Les Mikesell
     lesmikesell at gmail.com