NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Possibly trojan'd netstat?

In article <>,
Mike Hebel  <> wrote:
>Hi!  New to this list but not lists or NetBSD in general.
>Anyways....on to the story...
>So I'm building up a 6.0 VM and downloaded a number of
>packages from  site.
>After getting apache2.4 fixed I installed a number of
>dependencies for Gallery1 and other apps that I just
>downloaded and installed.  The list is:
>After all that was done and working (among other things) I
>installed ossec.  Upon reboot it gave me the following:
>OSSEC HIDS Notification.
>2013 Apr 22 21:14:45
>Received From: (spinny)>rootcheck
>Rule: 510 fired (level 7) -> "Host-based anomaly detection
>event (rootcheck)."
>Portion of the log(s):
>Trojaned version of file '/usr/bin/netstat' detected.
>Signature used:
>'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic).

This is what happens if egrep is your antivirus:

$egrep '(bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h)' /usr/bin/netstat
Binary file /usr/bin/netstat matches
$ strings /usr/bin/netstat | fgrep grep
$ fgrep -r regreply /usr/include/
/usr/include/netinet/ip_icmp.h: "mobile_regrequest", "mobile_regreply", 

This is there to print icmp stats per icmp type.


Home | Main Index | Thread Index | Old Index