Possibly trojan'd netstat?

[Mike Hebel <nimitz%nimitzbrood.com@localhost>]

Hi!  New to this list but not lists or NetBSD in general.

Anyways....on to the story...

So I'm building up a 6.0 VM and downloaded a number of
packages from theftp.netbsd.org  site.
(pub/pkgsrc/packages/x86_64/6.0/All)

After getting apache2.4 fixed I installed a number of
dependencies for Gallery1 and other apps that I just
downloaded and installed.  The list is:

ImageMagick-6.7.9.10.tgz
ilmbase-1.0.2nb2.tgz
bash-2.05.2.7nb11.tgz
jasper-1.900.1nb6.tgz
bash-4.2nb2.tgz
jhead-2.96.tgz
bash-completion-1.0nb1.tgz
lcms-1.19nb1.tgz
bash-doc-2.05.2.tgz
lcms2-2.4.tgz
fftw-3.3.3.tgz
libf2c-20090201nb3.tgz
fftw2-2.1.5nb3.tgz
libltdl-2.2.6b.tgz
fftwf-3.3.2nb1.tgz
libwebp-0.2.1.tgz
fortune-strfile-0.tgz
netpbm-10.35.80nb4.tgz
fortunes-calvin-0.2.tgz
openexr-1.7.0.tgz
fortunes-de-0.20.tgz
tiff-4.0.3nb1.tgz
fortunes-futurama-0.2.tgz
unzip-6.0nb1.tgz
fortunes-h2g2-0.1.tgz
zip-3.0nb2.tgz

After all that was done and working (among other things) I
installed ossec.  Upon reboot it gave me the following:

OSSEC HIDS Notification.
2013 Apr 22 21:14:45

Received From: (spinny) 192.168.1.153->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection
event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/netstat' detected.
Signature used:
'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic).



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Apr 22 21:14:46

Received From: (spinny) 192.168.1.153->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection
event (rootcheck)."
Portion of the log(s):

Files hidden inside directory '/dev/pts'. Link count does
not match number of files (2,1).



 --END OF NOTIFICATION

Currently the system is not in production yet.  I've
currently renamed and turned off execution of netstat:

spinny# mv netstat netstat-infected
spinny# chmod 000 netstat-infected
spinny# ls -la netstat*
----------  1 root  kmem  158761 Dec 21 05:25 netstat-infected
spinny#

I also have the host currently powered off.  I'm going to power it on a little 
later and get the checksum of the netstat file.

Please if someone is aware of this let me know if this is false alarm or not.  
I mean I
can always blow the VM away and start from scratch but I'd
rather not.

--
Mike

If I wanted to create a universe from scratch
I guess I should have ordered the apple pie.