This morning I discovered this in my clamav report from one of our imap servers: /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: Unix.Trojan.MSShellcode-21 FOUND I have looked at this script and it appears to be part of the nmap distribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts. However, I none-the-less copied that file, removed namp, re-installed nmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical. The question is: Do I have a problem here or a false positive? I am not sure why nmap is on that host but evidently I had some reason last October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:> This morning I discovered this in my clamav report from one of our > imap servers: > > /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: > Unix.Trojan.MSShellcode-21 FOUND > > > I have looked at this script and it appears to be part of the nmap > distribution. It actually tests for irc backdoors. IRC is not used > here and its ports are blocked by default both at the gateway and on > all internal hosts. > > However, I none-the-less copied that file, removed namp, re-installed > nmap from base, and diffed the file of the same name installed with > nmap against the copy. They are identical. > > The question is: Do I have a problem here or a false positive? > > I am not sure why nmap is on that host but evidently I had some reason > last October to use it from that server. In any case I am going to > remove it for good, or at least until the reason I had it there > reoccurs or is recalled to mind.If everything is rpm-installed you can say: rpm -q --whatprovides /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse and see what package installed it and; rpm -Vv packagename to verify that the files still match what the package installed. (which, of course doesn't tell you if the files are trojans or not, just that they came from a presumably signed package and haven't been modified subsequently). -- Les Mikesell lesmikesell at gmail.com
On Thu, April 16, 2015 10:09 am, Les Mikesell wrote:> On Thu, Apr 16, 2015 at 10:01 AM, James B. Byrne <byrnejb at harte-lyne.ca>wrote:>> This morning I discovered this in my clamav report from one of our imapservers:>> /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: >> Unix.Trojan.MSShellcode-21 FOUND >> I have looked at this script and it appears to be part of the nmapdistribution. It actually tests for irc backdoors. IRC is not used here and its ports are blocked by default both at the gateway and on all internal hosts.>> However, I none-the-less copied that file, removed namp, re-installednmap from base, and diffed the file of the same name installed with nmap against the copy. They are identical.>> The question is: Do I have a problem here or a false positive? >> I am not sure why nmap is on that host but evidently I had some reasonlast October to use it from that server. In any case I am going to remove it for good, or at least until the reason I had it there reoccurs or is recalled to mind.> > If everything is rpm-installed you can say: > rpm -q --whatprovides/usr/share/nmap/scripts/irc-unrealircd-backdoor.nse> and see what package installed it and; > rpm -Vv packagename > to verify that the files still match what the package installed. > > (which, of course doesn't tell you if the files are trojans or not, justthat they came from a presumably signed package and haven't been modified subsequently).>I general: As both comparing checksums, perms etc of files with rpm database (rpm -V ...) and just executing md5sum or sha1sum are executed locally on the suspect machine, all of these are not to be trusted. The best practice is to copy files over to trusted machine and run tests on the suspect file there. or better yet: mount drive from suspect machine on trusted machine. These would be general guidelines for forensics. In particular (someone more knowledgeable will correct me if I'm wrong): clamav is a scanner that is designed to detect viruses (virii I should use for plural as it is Latin word) that can attack MS Windows. In general, these viruses can not do anything to Linux system. Therefore, if clamav detects as "infected" one of the files belonging to Linux distribution, it should be considered a "false positive". After all, it analyses/matches signatures of portions of file content. The only reason I run clamav on my Linux and Unix servers is to check e-mail, as some client machines can be Windows machines. Another portion of your filesystem you may want to scan for Windows viruses can be something dedicated to Windows machines, like SAMBA Windows share. Scanning the rest of your Linux of Unix machines does not make much sense for me. Just my $0.02. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 16/04/15 16:01, James B. Byrne wrote:> This morning I discovered this in my clamav report from one of our > imap servers: > > /usr/share/nmap/scripts/irc-unrealircd-backdoor.nse: > Unix.Trojan.MSShellcode-21 FOUND > > > I have looked at this script and it appears to be part of the nmap > distribution. It actually tests for irc backdoors. IRC is not > used here and its ports are blocked by default both at the gateway > and on all internal hosts. > > However, I none-the-less copied that file, removed namp, > re-installed nmap from base, and diffed the file of the same name > installed with nmap against the copy. They are identical. > > The question is: Do I have a problem here or a false positive? > > I am not sure why nmap is on that host but evidently I had some > reason last October to use it from that server. In any case I am > going to remove it for good, or at least until the reason I had it > there reoccurs or is recalled to mind. >Hi, I believe this is definitely a false positive. Our mail server (CentOS 6.6) is reporting the very same "Trojan" on the very same file. I've already done our investigation and came to the conclusion it is a false positive based on a verification of files from RPMDB and also our intrusion detection system has not detected any changed files in /usr/share/ since before and after said "trojan" appeared. Top that with two people seeing the same thing at the same time in two completely different machines/companies chances are high its a false positive. Hope this helps set your mind at ease :-). Kind Regards, Jake Shipton (JakeMS) Twitter: @CrazyLinuxNerd GPG Key: 0xE3C31D8F GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJVMnVaAAoJEB0Lpc/jwx2P7s4H/2V++W499w2fAZPM8kjnKi9b EBS0vl/oYAOVgzc3lo4y0CbY9GQtQ3258tISCeMGGOR/OjPYl3BqINsS1Qf0FGSw FzNHWrlgas/bZO/HbTAzWbtxknRKIJiiYfBHqLL6s/r9WpOMsBvA2eVpkXsEZZoz AWC0CFcrVsh7+Agqk46GyIsDn8ZpT+IymwMp+gKiqBv8e4uG5WjE8YRGBybscJgk DAPZ9ZaSJpJNFkJ0tpAAgNkPO96lFv6l43nnm/IyTfKtd/1rWJ9ejb0ZjtZnP6Dr xWdNyTjK39euHiVBP3pZ6ex8VKthph6b9FeferoQaGFxGvixk7epIihPbeEYqbg=lowP -----END PGP SIGNATURE-----