[CentOS] ClamAV reports a trojan

Sun Apr 19 20:18:49 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

On Sat, April 18, 2015 11:16, Jake Shipton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 16/04/15 16:01, James B. Byrne wrote:
>> This morning I discovered this in my clamav report from one of our
>> imap servers:
>>
>> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse:
>> Unix.Trojan.MSShellcode-21 FOUND
>>
>>
>> I have looked at this script and it appears to be part of the nmap
>> distribution.  It actually tests for irc backdoors.  IRC is not
>> used here and its ports are blocked by default both at the gateway
>> and on all internal hosts.
>>
>> However, I none-the-less copied that file, removed namp,
>> re-installed nmap from base, and diffed the file of the same name
>> installed with nmap against the copy.  They are identical.
>>
>> The question is: Do I have a problem here or a false positive?
>>
>> I am not sure why nmap is on that host but evidently I had some
>> reason last October to use it from that server.  In any case I am
>> going to remove it for good, or at least until the reason I had it
>> there reoccurs or is recalled to mind.
>>
>
> Hi,
>
> I believe this is definitely a false positive.
>
> Our mail server (CentOS 6.6) is reporting the very same "Trojan" on
> the very same file. I've already done our investigation and came to
> the conclusion it is a false positive based on a verification of files
> from RPMDB and also our intrusion detection system has not detected
> any changed files in /usr/share/ since before and after said "trojan"
> appeared.
>
> Top that with two people seeing the same thing at the same time in two
> completely different machines/companies chances are high its a false
> positive.
>
> Hope this helps set your mind at ease :-).
>
> Kind Regards,
> Jake Shipton (JakeMS)
> Twitter: @CrazyLinuxNerd
> GPG Key: 0xE3C31D8F
> GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQEcBAEBAgAGBQJVMnVaAAoJEB0Lpc/jwx2P7s4H/2V++W499w2fAZPM8kjnKi9b
> EBS0vl/oYAOVgzc3lo4y0CbY9GQtQ3258tISCeMGGOR/OjPYl3BqINsS1Qf0FGSw
> FzNHWrlgas/bZO/HbTAzWbtxknRKIJiiYfBHqLL6s/r9WpOMsBvA2eVpkXsEZZoz
> AWC0CFcrVsh7+Agqk46GyIsDn8ZpT+IymwMp+gKiqBv8e4uG5WjE8YRGBybscJgk
> DAPZ9ZaSJpJNFkJ0tpAAgNkPO96lFv6l43nnm/IyTfKtd/1rWJ9ejb0ZjtZnP6Dr
> xWdNyTjK39euHiVBP3pZ6ex8VKthph6b9FeferoQaGFxGvixk7epIihPbeEYqbg=
> =lowP
> -----END PGP SIGNATURE-----
>
>

Thank you.  We run aide on that box and it did not report any recent
changes to that file.  RPM and yum history corroborated the install
date as being last October. We have concluded this is a false positive
following a recent ClamAV update.

We have none-the-less removed nmap from that host.


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3