RonV666
commented
2 years ago same for Fedora35. Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
Closed tiiiecherle closed 11 months ago
RonV666
commented
2 years ago same for Fedora35. Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
MKPlato
commented
2 years ago Any updates on this issue? The bug still exists now.
ddpbsd
commented
2 years ago Please test PR #2062 I think it will handle this.
rileyjnevins
commented
2 years ago Just experienced this issue on several Ubuntu hosts of mine:
| manager.name | wazuh | rule.firedtimes | 8 | rule.mail | false | rule.level | 7 | rule.pci_dss | 10.6.1 | rule.description | Host-based anomaly detection event (rootcheck). | rule.groups | ossec, rootcheck | rule.id | 510 | rule.gdpr | IV_35.7.d | decoder.name | rootcheck | full_log | Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic). | location | rootcheck
SedonD
commented
1 year ago I agree with the others, we are experiencing this: (Ubuntu 22.04 server)
Wazuh Alert: 'Host-based anomaly detection event (rootcheck).'
DETAILS Description: 'Host-based anomaly detection event (rootcheck).' Log: 'Trojaned version of file /usr/bin/diff detected. Signature used: bash ^/bin/sh file/.h proc/.h /dev/[^n] ^/bin/.*sh (Generic).' Rule: '510' location: 'rootcheck'
kamalmjt
commented
1 year ago Same problem.
{ "agent": { "ip": "xxx", "name": "xxx", "id": "004" }, "manager": { "name": "xxxx" }, "data": { "file": "/bin/diff", "title": "Trojaned version of file detected." }, "rule": { "firedtimes": 1, "mail": false, "level": 7, "pci_dss": [ "10.6.1" ], "description": "Host-based anomaly detection event (rootcheck).", "groups": [ "ossec", "rootcheck" ], "id": "510", "gdpr": [ "IV_35.7.d" ] }, "decoder": { "name": "rootcheck" }, "full_log": "Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).", "input": { "type": "log" }, "@timestamp": "2023-01-01T08:20:04.988Z", "location": "rootcheck", "id": "1672561204.10642855", "timestamp": "2023-01-01T08:20:04.988+0000", "_id": "nU9qbIUBLJew7AZ0p-A5" }
Practicalbutterfly5
commented
1 year ago Too many notifications of this
lemogra
commented
1 year ago this issus still continues as below Wazuh Notification. 2023 Feb 03 14:41:32
Received From: siem1->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic). title: Trojaned version of file detected. file: /bin/diff
fstrube
commented
1 year ago I think the issue may be due to a reverence to /dev/full in the diff executable.
# strings /bin/diff | grep /dev/[^n]
/dev/fullI made a change in /var/ossec/etc/shared/rootkit_trojans.txt to the following line to see if that fixes the issue:
-diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+diff !bash|^/bin/sh|file\.h|proc\.h|/dev/[^nf]|^/bin/.*sh!
ngisvold
commented
1 year ago Any update on this?
ll3N1GmAll
commented
1 year ago This is still happening on Linux Mint 21
"timestamp":"2023-03-19T14:54:44.046+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":true,"groups":["ossec","rootcheck"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"Mint21","ip":"192.168.1.19"},"manager":{"name":"secon-server-wazuh-manager"},"id":"1679237684.3782962","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}
ddpbsd
commented
1 year ago I never got any responses to the PR, but I've merged it. Hopefully it helps.
fuomag9
commented
1 year ago Still happening to macOS as well
troublestarter
commented
1 year ago Happening on Debian 11 with Wazuh v4.3.10
Practicalbutterfly5
commented
1 year ago Wazuh 4.4.0 and still happening .... Ubuntu 22.04 arm64
serfermorhc
commented
1 year ago Same here
y0d4a
commented
1 year ago can confirm same, latest ver. of wazuh
pleibling
commented
1 year ago Same, Wazuh 4.4.1 and Ubuntu Server minimal 22.04 (all updates).
Any News?
titleistfour
commented
1 year ago I have this issue with /usr/bin/mail on RHEL 9 and Wazuh 4.4.1.
gand0rf
commented
1 year ago Wanted to leave an update. wazuh-manager version 4.4.5 wazuh-agent version 4.4.5
Files Indicated: /bin/diff /usr/bin/diff
Signature used: bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh
Going to try fstrube edit to rootkit_trojans.txt
iNimbleSloth
commented
1 year ago Receiving the same.
wazuh-manager version 4.4.5 running on an Ubuntu 22.04.2 LTS virtual machine. wazuh-agent version 4.4.5 also running on an Ubuntu 22.04.2 LTS virtual machine (different VM from above).
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.sh' (Generic). Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.sh' (Generic).
kayo77
commented
1 year ago Receiving the same. on Debian 12.1 with wazuh-agent 4.5.0
troublestarter
commented
1 year ago I think nobody work on this ...
arf20
commented
1 year ago Getting the same notification on Debian 12, wazuh 4.5.1
33b5e5
commented
1 year ago In lieu of a proper fix, this will silence the alert from Wazuh on Debian/Ubuntu:
sudo vi /var/ossec/etc/rules/local_rules.xml
Add something like:
<group name="rootcheck,ossec,">
<rule id="510" level="0" overwrite="yes">
<match>/bin/diff</match>
<description>Ignore 510 rootcheck on /bin/diff</description>
</rule>
</group>Test the changes:
sudo /var/ossec/bin/wazuh-analysisd -t
If it looks good restart:
sudo systemctl restart wazuh-manager.service
troublestarter
commented
1 year ago Hi @33b5e5
Thanks for the workaround.
But it disable the check on /bin/diff ?
Should be great if it would work as exepected :)
Thanks again that said
earthyfort
commented
1 year ago Is there any news about this?
dibu28
commented
1 year ago same on Ubuntu 23 Trojaned version of file detected. Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
vinsk0h
commented
1 year ago I have the same thing on U22 with Wazuh v4.5.2
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).
0xr00tx
commented
1 year ago Same issue with Agent v4.5.2 and Debian 12
lpingree
commented
1 year ago Seeing this on several of my linux machines.
moivica
commented
1 year ago Same issue active - ubuntu 23.04
sjansen1
commented
1 year ago Seeing this on my Proxmox Hosts (based on Debian 12 Bookworm)
edxz101
commented
1 year ago Same issue on Ubuntu 22.04 (at the date).
pld0vr
commented
1 year ago Also seeing this
pthoelken
commented
1 year ago Still exists, please fix this ugg.
alexeiol
commented
1 year ago 2 years later this bug is still unfixed! I'm getting the same alert in Debian Bookworm and Ossec v3.7.0:
OSSEC HIDS Notification. 2023 Nov 02 12:18:09
Received From: debianvaio->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
--END OF NOTIFICATION
Looking at the bright size, it is good to know this is a false positive.
ddpbsd
commented
1 year ago This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if diff is trojaned and has a reference to /dev on a non-linux system it won't be caught.
Here's the current definition though:
diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
alexeiol
commented
1 year ago This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if
diffis trojaned and has a reference to/devon a non-linux system it won't be caught. Here's the current definition though:diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!
But this "fix" is not really a "fix" because... What if 'diff' ever becomes legitimately infected? People install security software because they have legitimate security concerns. A false positive detection is a bug in the software and that's what should be fixed.
ddpbsd
commented
1 year ago How do you expect to check for the presence of /dev but not alert on the presence of /dev?
On Thu, Nov 2, 2023 at 6:36 PM alexeiol @.***> wrote:
This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if diff is trojaned and has a reference to /dev on a non-linux system it won't be caught. Here's the current definition though: diff !bash|^/bin/sh|file.h|proc.h|^/bin/.*sh!
But this "fix" is not really a "fix" because... What if 'diff' ever becomes legitimately infected? People install security software because they have legitimate security concerns. A false positive detection is a bug in the software and that's what should be fixed.
— Reply to this email directly, view it on GitHub https://github.com/ossec/ossec-hids/issues/2020#issuecomment-1791656278, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGAZNNKKJITIUJT5EWU4ZTYCQN6VAVCNFSM5GTMCKYKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCNZZGE3DKNRSG44A . You are receiving this because you commented.Message ID: @.***>
JackThird
commented
1 year ago same here, ubuntu server 22.04, wazuh 4.5.4
moivica
commented
1 year ago Same problem: Wazuh v 4.6.0 Ubuntu 23.04
Dmitry-Ge
commented
1 year ago Debian 12 , ossec-hids-agent_3.7.0-29672bookworm_amd64.deb - same problem.
jdmedeiros
commented
1 year ago Same problem: AWS AL2023 Linux xxxxxxxxxxx 6.1.59-84.139.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 24 20:57:25 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux {"error":0,"data":[{"WAZUH_VERSION":"v4.6.0"},{"WAZUH_REVISION":"40603"},{"WAZUH_TYPE":"server"}]}
markgabrang
commented
1 year ago Same on Ubuntu 22.04 hosts, v4.6.0
"decoder": {
"name": "rootcheck"
},
"id": "1699540605.90066869",
"full_log": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"timestamp": "2023-11-09T14:36:45.727+0000"
RandomUser0815
commented
12 months ago Same on Ubuntu 22.04, Wazuh v4.5.3
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.sh' (Generic). Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.sh' (Generic).
kawaiipantsu
commented
11 months ago Bump ... Still issue!
pisarz77
commented
11 months ago same on current debian 12
redrubytech
commented
11 months ago Bump. still same issue on Ubuntu 22.04 with Wazuh 4.6
iXvXi
commented
11 months ago Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
This is event is on my host wazuh server running Ubuntu 22.04.3 LTS
Hey Ossec Team,
with the latest version diffutils 3.8-1 installed ossec reports a trojaned version of a few files.
I opened an issue at the archlinux bug tracker here: https://bugs.archlinux.org/task/72519#comment203202
When testing the files against virustotal database nothing suspicious is reported and the checksum seems fine.
Changing the diff line in rootkit_trojans.txt to
diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!solves the reporting.I assume it is a false positive and after confirming the rootkit_trojans.txt should be changed.
Thanks in advance