[CentOS] ClamAV reports a trojan
Jake Shipton
jakems at fedoraproject.org
Sat Apr 18 15:16:48 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 16/04/15 16:01, James B. Byrne wrote:
> This morning I discovered this in my clamav report from one of our
> imap servers:
>
> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse:
> Unix.Trojan.MSShellcode-21 FOUND
>
>
> I have looked at this script and it appears to be part of the nmap
> distribution. It actually tests for irc backdoors. IRC is not
> used here and its ports are blocked by default both at the gateway
> and on all internal hosts.
>
> However, I none-the-less copied that file, removed namp,
> re-installed nmap from base, and diffed the file of the same name
> installed with nmap against the copy. They are identical.
>
> The question is: Do I have a problem here or a false positive?
>
> I am not sure why nmap is on that host but evidently I had some
> reason last October to use it from that server. In any case I am
> going to remove it for good, or at least until the reason I had it
> there reoccurs or is recalled to mind.
>
Hi,
I believe this is definitely a false positive.
Our mail server (CentOS 6.6) is reporting the very same "Trojan" on
the very same file. I've already done our investigation and came to
the conclusion it is a false positive based on a verification of files
from RPMDB and also our intrusion detection system has not detected
any changed files in /usr/share/ since before and after said "trojan"
appeared.
Top that with two people seeing the same thing at the same time in two
completely different machines/companies chances are high its a false
positive.
Hope this helps set your mind at ease :-).
Kind Regards,
Jake Shipton (JakeMS)
Twitter: @CrazyLinuxNerd
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJVMnVaAAoJEB0Lpc/jwx2P7s4H/2V++W499w2fAZPM8kjnKi9b
EBS0vl/oYAOVgzc3lo4y0CbY9GQtQ3258tISCeMGGOR/OjPYl3BqINsS1Qf0FGSw
FzNHWrlgas/bZO/HbTAzWbtxknRKIJiiYfBHqLL6s/r9WpOMsBvA2eVpkXsEZZoz
AWC0CFcrVsh7+Agqk46GyIsDn8ZpT+IymwMp+gKiqBv8e4uG5WjE8YRGBybscJgk
DAPZ9ZaSJpJNFkJ0tpAAgNkPO96lFv6l43nnm/IyTfKtd/1rWJ9ejb0ZjtZnP6Dr
xWdNyTjK39euHiVBP3pZ6ex8VKthph6b9FeferoQaGFxGvixk7epIihPbeEYqbg=
=lowP
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list