False positive "Trojaned version of file '/bin/diff' detected" on Archlinux

[tiiiecherle]

Hey Ossec Team,

with the latest version diffutils 3.8-1 installed ossec reports a trojaned version of a few files.

OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

I opened an issue at the archlinux bug tracker here: https://bugs.archlinux.org/task/72519#comment203202

When testing the files against virustotal database nothing suspicious is reported and the checksum seems fine.

Changing the diff line in rootkit_trojans.txt to diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! solves the reporting.

I assume it is a false positive and after confirming the rootkit_trojans.txt should be changed.

Thanks in advance

[RonV666]

same for Fedora35. Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[MKPlato]

Any updates on this issue? The bug still exists now.

[ddpbsd]

Please test PR #2062 I think it will handle this.

[rileyjnevins]

Just experienced this issue on several Ubuntu hosts of mine:

  | manager.name | wazuh   | rule.firedtimes | 8   | rule.mail | false   | rule.level | 7   | rule.pci_dss | 10.6.1   | rule.description | Host-based anomaly detection event (rootcheck).   | rule.groups | ossec, rootcheck   | rule.id | 510   | rule.gdpr | IV_35.7.d   | decoder.name | rootcheck   | full_log | Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).   | location | rootcheck

[SedonD]

I agree with the others, we are experiencing this: (Ubuntu 22.04 server)

Wazuh Alert: 'Host-based anomaly detection event (rootcheck).'

DETAILS Description: 'Host-based anomaly detection event (rootcheck).' Log: 'Trojaned version of file /usr/bin/diff detected. Signature used: bash ^/bin/sh file/.h proc/.h /dev/[^n] ^/bin/.*sh (Generic).' Rule: '510' location: 'rootcheck'

[kamalmjt]

Same problem.

{ "agent": { "ip": "xxx", "name": "xxx", "id": "004" }, "manager": { "name": "xxxx" }, "data": { "file": "/bin/diff", "title": "Trojaned version of file detected." }, "rule": { "firedtimes": 1, "mail": false, "level": 7, "pci_dss": [ "10.6.1" ], "description": "Host-based anomaly detection event (rootcheck).", "groups": [ "ossec", "rootcheck" ], "id": "510", "gdpr": [ "IV_35.7.d" ] }, "decoder": { "name": "rootcheck" }, "full_log": "Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).", "input": { "type": "log" }, "@timestamp": "2023-01-01T08:20:04.988Z", "location": "rootcheck", "id": "1672561204.10642855", "timestamp": "2023-01-01T08:20:04.988+0000", "_id": "nU9qbIUBLJew7AZ0p-A5" }

[Practicalbutterfly5]

Too many notifications of this

[lemogra]

this issus still continues as below Wazuh Notification. 2023 Feb 03 14:41:32

Received From: siem1->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic). title: Trojaned version of file detected. file: /bin/diff

[fstrube]

I think the issue may be due to a reverence to /dev/full in the diff executable.

# strings /bin/diff | grep /dev/[^n]
/dev/full

I made a change in /var/ossec/etc/shared/rootkit_trojans.txt to the following line to see if that fixes the issue:

-diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^nf]|^/bin/.*sh!

[ngisvold]

Any update on this?

[ll3N1GmAll]

This is still happening on Linux Mint 21

"timestamp":"2023-03-19T14:54:44.046+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":true,"groups":["ossec","rootcheck"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"Mint21","ip":"192.168.1.19"},"manager":{"name":"secon-server-wazuh-manager"},"id":"1679237684.3782962","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}

[ddpbsd]

I never got any responses to the PR, but I've merged it. Hopefully it helps.

[fuomag9]

Still happening to macOS as well

[troublestarter]

Happening on Debian 11 with Wazuh v4.3.10

[Practicalbutterfly5]

Wazuh 4.4.0 and still happening .... Ubuntu 22.04 arm64

[serfermorhc]

Same here

[y0d4a]

can confirm same, latest ver. of wazuh

[pleibling]

Same, Wazuh 4.4.1 and Ubuntu Server minimal 22.04 (all updates).

Any News?

[titleistfour]

I have this issue with /usr/bin/mail on RHEL 9 and Wazuh 4.4.1.

[gand0rf]

Wanted to leave an update. wazuh-manager version 4.4.5 wazuh-agent version 4.4.5

Files Indicated: /bin/diff /usr/bin/diff

Signature used: bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh

Going to try fstrube edit to rootkit_trojans.txt

[iNimbleSloth]

Receiving the same.

wazuh-manager version 4.4.5 running on an Ubuntu 22.04.2 LTS virtual machine. wazuh-agent version 4.4.5 also running on an Ubuntu 22.04.2 LTS virtual machine (different VM from above).

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic). Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[kayo77]

Receiving the same. on Debian 12.1 with wazuh-agent 4.5.0

[troublestarter]

I think nobody work on this ...

[arf20]

Getting the same notification on Debian 12, wazuh 4.5.1

[33b5e5]

In lieu of a proper fix, this will silence the alert from Wazuh on Debian/Ubuntu:

sudo vi /var/ossec/etc/rules/local_rules.xml

Add something like:

<group name="rootcheck,ossec,">
  <rule id="510" level="0" overwrite="yes">
    <match>/bin/diff</match>
    <description>Ignore 510 rootcheck on /bin/diff</description>
  </rule>
</group>

Test the changes:

sudo /var/ossec/bin/wazuh-analysisd -t

If it looks good restart:

sudo systemctl restart wazuh-manager.service

[troublestarter]

Hi @33b5e5

Thanks for the workaround.

But it disable the check on /bin/diff ?

Should be great if it would work as exepected :)

Thanks again that said

[earthyfort]

Is there any news about this?

[dibu28]

same on Ubuntu 23 Trojaned version of file detected. Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[vinsk0h]

I have the same thing on U22 with Wazuh v4.5.2 Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

[0xr00tx]

Same issue with Agent v4.5.2 and Debian 12