Re: Possibly trojan'd netstat?

[christos%astron.com@localhost (Christos Zoulas)]

In article <5177059B.30200%nimitzbrood.com@localhost>,
Mike Hebel  <nimitz%nimitzbrood.com@localhost> wrote:
>Hi!  New to this list but not lists or NetBSD in general.
>
>Anyways....on to the story...
>
>So I'm building up a 6.0 VM and downloaded a number of
>packages from theftp.netbsd.org  site.
>(pub/pkgsrc/packages/x86_64/6.0/All)
>
>After getting apache2.4 fixed I installed a number of
>dependencies for Gallery1 and other apps that I just
>downloaded and installed.  The list is:
>
>ImageMagick-6.7.9.10.tgz
>ilmbase-1.0.2nb2.tgz
>bash-2.05.2.7nb11.tgz
>jasper-1.900.1nb6.tgz
>bash-4.2nb2.tgz
>jhead-2.96.tgz
>bash-completion-1.0nb1.tgz
>lcms-1.19nb1.tgz
>bash-doc-2.05.2.tgz
>lcms2-2.4.tgz
>fftw-3.3.3.tgz
>libf2c-20090201nb3.tgz
>fftw2-2.1.5nb3.tgz
>libltdl-2.2.6b.tgz
>fftwf-3.3.2nb1.tgz
>libwebp-0.2.1.tgz
>fortune-strfile-0.tgz
>netpbm-10.35.80nb4.tgz
>fortunes-calvin-0.2.tgz
>openexr-1.7.0.tgz
>fortunes-de-0.20.tgz
>tiff-4.0.3nb1.tgz
>fortunes-futurama-0.2.tgz
>unzip-6.0nb1.tgz
>fortunes-h2g2-0.1.tgz
>zip-3.0nb2.tgz
>
>After all that was done and working (among other things) I
>installed ossec.  Upon reboot it gave me the following:
>
>OSSEC HIDS Notification.
>2013 Apr 22 21:14:45
>
>Received From: (spinny) 192.168.1.153->rootcheck
>Rule: 510 fired (level 7) -> "Host-based anomaly detection
>event (rootcheck)."
>Portion of the log(s):
>
>Trojaned version of file '/usr/bin/netstat' detected.
>Signature used:
>'bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h' (Generic).

This is what happens if egrep is your antivirus:

$egrep '(bash|^/bin/sh|/dev/[^aik]|/prof|grep|addr\.h)' /usr/bin/netstat
Binary file /usr/bin/netstat matches
$ strings /usr/bin/netstat | fgrep grep
mobile_regreply
$ fgrep -r regreply /usr/include/
/usr/include/netinet/ip_icmp.h: "mobile_regrequest", "mobile_regreply", 
"reserved_37",

This is there to print icmp stats per icmp type.

christos