[CentOS] ClamAV reports a trojan

Thu Apr 16 16:28:15 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, April 16, 2015 10:09 am, Les Mikesell wrote:
> On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca>
wrote:
>> This morning I discovered this in my clamav report from one of our imap
servers:
>> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse:
>> Unix.Trojan.MSShellcode-21 FOUND
>> I have looked at this script and it appears to be part of the nmap
distribution.  It actually tests for irc backdoors.  IRC is not used
here and its ports are blocked by default both at the gateway and on
all internal hosts.
>> However, I none-the-less copied that file, removed namp, re-installed
nmap from base, and diffed the file of the same name installed with
nmap against the copy.  They are identical.
>> The question is: Do I have a problem here or a false positive?
>> I am not sure why nmap is on that host but evidently I had some reason
last October to use it from that server.  In any case I am going to
remove it for good, or at least until the reason I had it there
reoccurs or is recalled to mind.
>
> If everything is rpm-installed you can say:
> rpm -q --whatprovides
/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse
> and see what package installed it and;
> rpm -Vv packagename
> to verify that the files still match what the package installed.
>
> (which, of course doesn't tell you if the files are trojans or not, just
that they came from a presumably signed package and haven't been
modified subsequently).
>

I general:

As both comparing checksums, perms etc of files with rpm database (rpm -V
...) and just executing md5sum or sha1sum are executed locally on the
suspect machine, all of these are not to be trusted. The best practice is
to copy files over to trusted machine and run tests on the suspect file
there. or better yet: mount drive from suspect machine on trusted machine.
These would be general guidelines for forensics.

In particular (someone more knowledgeable will correct me if I'm wrong):

clamav is a scanner that is designed to detect viruses (virii I should use
for plural as it is Latin word) that can attack MS Windows. In general,
these viruses can not do anything to Linux system. Therefore, if clamav
detects as "infected" one of the files belonging to Linux distribution, it
should be considered a "false positive". After all, it analyses/matches
signatures of portions of file content. The only reason I run clamav on my
Linux and Unix servers is to check e-mail, as some client machines can be
Windows machines. Another portion of your filesystem you may want to scan
for Windows viruses can be something dedicated to Windows machines, like
SAMBA Windows share. Scanning the rest of your Linux of Unix machines does
not make much sense for me.

Just my $0.02.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++