2

I have installed the latest stable version of OSSEC (2.8.1), and I have also enabled email notifications and today I got this alert through email:

OSSEC HIDS Notification.
2015 Apr 03 17:40:26

Received From: Bath-Towel->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh' (Generic).



 --END OF NOTIFICATION

Is this something to worry about, and if so then what should I do about it?

Information Update:

This is the contents of the file /bin/egrep:

#!/bin/bash
grep=grep
case $0 in
  */*)
    dir=${0%/*}
    if test -x "$dir/grep"; then
      PATH=$dir:$PATH
      grep=grep
    fi;;
esac
exec $grep -E "$@"

OS Information:

Description:    Ubuntu 14.10
Release:    14.10
  • `egrep` should be a shell script that ultimately runs `grep -E`. Check what's inside `/bin/egrep`. – Eric Carvalho Apr 03 '15 at 17:46
  • @EricCarvalho: Ok, I have updated my question with the contents, so is there anything to actually worried about, if not then what did the alert by OSSEC HIDS mean? –  Apr 03 '15 at 18:19
  • Read the OSSEC documentation. From looking at the message, it probably combined the file being in /bin with the file contents matching the pattern 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh' – waltinator Apr 03 '15 at 19:08

1 Answers1

2

I have OSSEC installed on some 14.04 servers, but I never got such notification.

It turns out that until Ubuntu 14.04 /bin/egrep is an ELF executable, but in 14.10 and later it is a shell script. Probably OSSEC was not updated yet to reflect this change.

Eric Carvalho
  • 53,609
  • 102
  • 137
  • 162