[CentOS] ClamAV reports a trojan
Les Mikesell
lesmikesell at gmail.com
Thu Apr 16 15:09:42 UTC 2015
On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> This morning I discovered this in my clamav report from one of our
> imap servers:
>
> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse:
> Unix.Trojan.MSShellcode-21 FOUND
>
>
> I have looked at this script and it appears to be part of the nmap
> distribution. It actually tests for irc backdoors. IRC is not used
> here and its ports are blocked by default both at the gateway and on
> all internal hosts.
>
> However, I none-the-less copied that file, removed namp, re-installed
> nmap from base, and diffed the file of the same name installed with
> nmap against the copy. They are identical.
>
> The question is: Do I have a problem here or a false positive?
>
> I am not sure why nmap is on that host but evidently I had some reason
> last October to use it from that server. In any case I am going to
> remove it for good, or at least until the reason I had it there
> reoccurs or is recalled to mind.
If everything is rpm-installed you can say:
rpm -q --whatprovides /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse
and see what package installed it and;
rpm -Vv packagename
to verify that the files still match what the package installed.
(which, of course doesn't tell you if the files are trojans or not,
just that they came from a presumably signed package and haven't been
modified subsequently).
--
Les Mikesell
lesmikesell at gmail.com
More information about the CentOS
mailing list