On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote: > This morning I discovered this in my clamav report from one of our > imap servers: > > /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: > Unix.Trojan.MSShellcode-21 FOUND > > > I have looked at this script and it appears to be part of the nmap > distribution. It actually tests for irc backdoors. IRC is not used > here and its ports are blocked by default both at the gateway and on > all internal hosts. > > However, I none-the-less copied that file, removed namp, re-installed > nmap from base, and diffed the file of the same name installed with > nmap against the copy. They are identical. > > The question is: Do I have a problem here or a false positive? > > I am not sure why nmap is on that host but evidently I had some reason > last October to use it from that server. In any case I am going to > remove it for good, or at least until the reason I had it there > reoccurs or is recalled to mind. If everything is rpm-installed you can say: rpm -q --whatprovides /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse and see what package installed it and; rpm -Vv packagename to verify that the files still match what the package installed. (which, of course doesn't tell you if the files are trojans or not, just that they came from a presumably signed package and haven't been modified subsequently). -- Les Mikesell lesmikesell at gmail.com