False positive "Trojaned version of file '/bin/diff' detected" on Archlinux

[tiiiecherle]

Hey Ossec Team,

with the latest version diffutils 3.8-1 installed ossec reports a trojaned version of a few files.

OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

I opened an issue at the archlinux bug tracker here:
https://bugs.archlinux.org/task/72519#comment203202

When testing the files against virustotal database nothing suspicious is reported and the checksum seems fine.

Changing the diff line in rootkit_trojans.txt to diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! solves the reporting.

I assume it is a false positive and after confirming the rootkit_trojans.txt should be changed.

Thanks in advance

[RonV666]

same for Fedora35.
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[MKPlato]

Any updates on this issue? The bug still exists now.

[ddpbsd]

Please test PR #2062
I think it will handle this.

[rileyjnevins]

Just experienced this issue on several Ubuntu hosts of mine:

  | manager.name | wazuh
  | rule.firedtimes | 8
  | rule.mail | false
  | rule.level | 7
  | rule.pci_dss | 10.6.1
  | rule.description | Host-based anomaly detection event (rootcheck).
  | rule.groups | ossec, rootcheck
  | rule.id | 510
  | rule.gdpr | IV_35.7.d
  | decoder.name | rootcheck
  | full_log | Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
  | location | rootcheck

[SedonD]

I agree with the others, we are experiencing this:
(Ubuntu 22.04 server)

Wazuh Alert: 'Host-based anomaly detection event (rootcheck).'

DETAILS
Description: 'Host-based anomaly detection event (rootcheck).' Log: 'Trojaned version of file /usr/bin/diff detected. Signature used: bash ^/bin/sh file/.h proc/.h /dev/[^n] ^/bin/.*sh (Generic).' Rule: '510' location: 'rootcheck'

[kamalmjt]

Same problem.

{
"agent": {
"ip": "xxx",
"name": "xxx",
"id": "004"
},
"manager": {
"name": "xxxx"
},
"data": {
"file": "/bin/diff",
"title": "Trojaned version of file detected."
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 7,
"pci_dss": [
"10.6.1"
],
"description": "Host-based anomaly detection event (rootcheck).",
"groups": [
"ossec",
"rootcheck"
],
"id": "510",
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "rootcheck"
},
"full_log": "Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"input": {
"type": "log"
},
"@timestamp": "2023-01-01T08:20:04.988Z",
"location": "rootcheck",
"id": "1672561204.10642855",
"timestamp": "2023-01-01T08:20:04.988+0000",
"_id": "nU9qbIUBLJew7AZ0p-A5"
}

[Practicalbutterfly5]

Too many notifications of this

[lemogra]

this issus still continues as below
Wazuh Notification.
2023 Feb 03 14:41:32

Received From: siem1->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff

[fstrube]

I think the issue may be due to a reverence to /dev/full in the diff executable.

# strings /bin/diff | grep /dev/[^n]
/dev/full

I made a change in /var/ossec/etc/shared/rootkit_trojans.txt to the following line to see if that fixes the issue:

-diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^nf]|^/bin/.*sh!

[ngisvold]

Any update on this?

[ll3N1GmAll]

This is still happening on Linux Mint 21

"timestamp":"2023-03-19T14:54:44.046+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":true,"groups":["ossec","rootcheck"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"Mint21","ip":"192.168.1.19"},"manager":{"name":"secon-server-wazuh-manager"},"id":"1679237684.3782962","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}

[ddpbsd]

I never got any responses to the PR, but I've merged it. Hopefully it helps.