False positive "Trojaned version of file '/bin/diff' detected" on Archlinux

[tiiiecherle]

Hey Ossec Team,

with the latest version diffutils 3.8-1 installed ossec reports a trojaned version of a few files.

OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).



--END OF NOTIFICATION



OSSEC HIDS Notification.
2021 Oct 22 10:22:02

Received From: archvbox->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/usr/sbin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

I opened an issue at the archlinux bug tracker here:
https://bugs.archlinux.org/task/72519#comment203202

When testing the files against virustotal database nothing suspicious is reported and the checksum seems fine.

Changing the diff line in rootkit_trojans.txt to diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! solves the reporting.

I assume it is a false positive and after confirming the rootkit_trojans.txt should be changed.

Thanks in advance

[RonV666]

same for Fedora35.
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[MKPlato]

Any updates on this issue? The bug still exists now.

[ddpbsd]

Please test PR #2062
I think it will handle this.

[rileyjnevins]

Just experienced this issue on several Ubuntu hosts of mine:

  | manager.name | wazuh
  | rule.firedtimes | 8
  | rule.mail | false
  | rule.level | 7
  | rule.pci_dss | 10.6.1
  | rule.description | Host-based anomaly detection event (rootcheck).
  | rule.groups | ossec, rootcheck
  | rule.id | 510
  | rule.gdpr | IV_35.7.d
  | decoder.name | rootcheck
  | full_log | Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
  | location | rootcheck

[SedonD]

I agree with the others, we are experiencing this:
(Ubuntu 22.04 server)

Wazuh Alert: 'Host-based anomaly detection event (rootcheck).'

DETAILS
Description: 'Host-based anomaly detection event (rootcheck).' Log: 'Trojaned version of file /usr/bin/diff detected. Signature used: bash ^/bin/sh file/.h proc/.h /dev/[^n] ^/bin/.*sh (Generic).' Rule: '510' location: 'rootcheck'

[kamalmjt]

Same problem.

{
"agent": {
"ip": "xxx",
"name": "xxx",
"id": "004"
},
"manager": {
"name": "xxxx"
},
"data": {
"file": "/bin/diff",
"title": "Trojaned version of file detected."
},
"rule": {
"firedtimes": 1,
"mail": false,
"level": 7,
"pci_dss": [
"10.6.1"
],
"description": "Host-based anomaly detection event (rootcheck).",
"groups": [
"ossec",
"rootcheck"
],
"id": "510",
"gdpr": [
"IV_35.7.d"
]
},
"decoder": {
"name": "rootcheck"
},
"full_log": "Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"input": {
"type": "log"
},
"@timestamp": "2023-01-01T08:20:04.988Z",
"location": "rootcheck",
"id": "1672561204.10642855",
"timestamp": "2023-01-01T08:20:04.988+0000",
"_id": "nU9qbIUBLJew7AZ0p-A5"
}

[Practicalbutterfly5]

Too many notifications of this

[lemogra]

this issus still continues as below
Wazuh Notification.
2023 Feb 03 14:41:32

Received From: siem1->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
title: Trojaned version of file detected.
file: /bin/diff

[fstrube]

I think the issue may be due to a reverence to /dev/full in the diff executable.

# strings /bin/diff | grep /dev/[^n]
/dev/full

I made a change in /var/ossec/etc/shared/rootkit_trojans.txt to the following line to see if that fixes the issue:

-diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh!
+diff        !bash|^/bin/sh|file\.h|proc\.h|/dev/[^nf]|^/bin/.*sh!

[ngisvold]

Any update on this?

[ll3N1GmAll]

This is still happening on Linux Mint 21

"timestamp":"2023-03-19T14:54:44.046+0000","rule":{"level":7,"description":"Host-based anomaly detection event (rootcheck).","id":"510","firedtimes":2,"mail":true,"groups":["ossec","rootcheck"],"gdpr":["IV_35.7.d"]},"agent":{"id":"027","name":"Mint21","ip":"192.168.1.19"},"manager":{"name":"secon-server-wazuh-manager"},"id":"1679237684.3782962","full_log":"Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).","decoder":{"name":"rootcheck"},"data":{"title":"Trojaned version of file detected.","file":"/usr/bin/diff"},"location":"rootcheck"}

[ddpbsd]

I never got any responses to the PR, but I've merged it. Hopefully it helps.

[fuomag9]

Still happening to macOS as well

[troublestarter]

Happening on Debian 11 with Wazuh v4.3.10

[Practicalbutterfly5]

Wazuh 4.4.0 and still happening ....
Ubuntu 22.04 arm64

[serfermorhc]

Same here

[y0d4a]

can confirm same, latest ver. of wazuh

[pleibling]

Same, Wazuh 4.4.1 and Ubuntu Server minimal 22.04 (all updates).

Any News?

[titleistfour]

I have this issue with /usr/bin/mail on RHEL 9 and Wazuh 4.4.1.

[gand0rf]

Wanted to leave an update.
wazuh-manager version 4.4.5
wazuh-agent version 4.4.5

Files Indicated:
/bin/diff
/usr/bin/diff

Signature used:
bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh

Going to try fstrube edit to rootkit_trojans.txt

[iNimbleSloth]

Receiving the same.

wazuh-manager version 4.4.5 running on an Ubuntu 22.04.2 LTS virtual machine.
wazuh-agent version 4.4.5 also running on an Ubuntu 22.04.2 LTS virtual machine (different VM from above).

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[kayo77]

Receiving the same.
on Debian 12.1 with wazuh-agent 4.5.0

[troublestarter]

I think nobody work on this ...

[arf20]

Getting the same notification on Debian 12, wazuh 4.5.1

[33b5e5]

In lieu of a proper fix, this will silence the alert from Wazuh on Debian/Ubuntu:

sudo vi /var/ossec/etc/rules/local_rules.xml

Add something like:

<group name="rootcheck,ossec,">
  <rule id="510" level="0" overwrite="yes">
    <match>/bin/diff</match>
    <description>Ignore 510 rootcheck on /bin/diff</description>
  </rule>
</group>

Test the changes:

sudo /var/ossec/bin/wazuh-analysisd -t

If it looks good restart:

sudo systemctl restart wazuh-manager.service

[troublestarter]

Hi @33b5e5

Thanks for the workaround.

But it disable the check on /bin/diff ?

Should be great if it would work as exepected :)

Thanks again that said

[earthyfort]

Is there any news about this?

[dibu28]

same on Ubuntu 23
Trojaned version of file detected.
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[vinsk0h]

I have the same thing on U22 with Wazuh v4.5.2
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/[^n]|^/bin/.*sh' (Generic).

[0xr00tx]

Same issue with Agent v4.5.2 and Debian 12

[lpingree]

Seeing this on several of my linux machines.

[moivica]

Same issue active - ubuntu 23.04

[sjansen1]

Seeing this on my Proxmox Hosts (based on Debian 12 Bookworm)

[edxz101]

Same issue on Ubuntu 22.04 (at the date).

[pld0vr]

Also seeing this

[pthoelken]

Still exists, please fix this ugg.

[alexeiol]

2 years later this bug is still unfixed! I'm getting the same alert in Debian Bookworm and Ossec v3.7.0:

OSSEC HIDS Notification.
2023 Nov 02 12:18:09

Received From: debianvaio->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

--END OF NOTIFICATION

Looking at the bright size, it is good to know this is a false positive.

[ddpbsd]

This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if diff is trojaned and has a reference to /dev on a non-linux system it won't be caught.
Here's the current definition though:
diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!

[alexeiol]

This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if diff is trojaned and has a reference to /dev on a non-linux system it won't be caught. Here's the current definition though: diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh!

But this "fix" is not really a "fix" because... What if 'diff' ever becomes legitimately infected? People install security software because they have legitimate security concerns. A false positive detection is a bug in the software and that's what should be fixed.

[ddpbsd]

How do you expect to check for the presence of /dev but not alert on the presence of /dev?

…

On Thu, Nov 2, 2023 at 6:36 PM alexeiol ***@***.***> wrote: This has been fixed in tree for a while. I'm kind of regretting it though, it's easy enough to fix with an ignore rule. Right now if diff is trojaned and has a reference to /dev on a non-linux system it won't be caught. Here's the current definition though: diff !bash|^/bin/sh|file\.h|proc\.h|^/bin/.*sh! But this "fix" is not really a "fix" because... What if 'diff' ever becomes legitimately infected? People install security software because they have legitimate security concerns. A false positive detection is a bug in the software and that's what should be fixed. — Reply to this email directly, view it on GitHub <#2020 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGAZNNKKJITIUJT5EWU4ZTYCQN6VAVCNFSM5GTMCKYKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCNZZGE3DKNRSG44A> . You are receiving this because you commented.Message ID: ***@***.***>

[JackThird]

same here, ubuntu server 22.04, wazuh 4.5.4

[moivica]

Same problem: Wazuh v 4.6.0
Ubuntu 23.04

[Dmitry-Ge]

Debian 12 , ossec-hids-agent_3.7.0-29672bookworm_amd64.deb - same problem.

[jdmedeiros]

Same problem: AWS AL2023
Linux xxxxxxxxxxx 6.1.59-84.139.amzn2023.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 24 20:57:25 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
{"error":0,"data":[{"WAZUH_VERSION":"v4.6.0"},{"WAZUH_REVISION":"40603"},{"WAZUH_TYPE":"server"}]}

[markgabrang]

Same on Ubuntu 22.04 hosts, v4.6.0

"decoder": {
  "name": "rootcheck"
},
"id": "1699540605.90066869",
"full_log": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).",
"timestamp": "2023-11-09T14:36:45.727+0000"

[RandomUser0815]

Same on Ubuntu 22.04, Wazuh v4.5.3

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).
Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[kawaiipantsu]

Bump ... Still issue!

[pisarz77]

same on current debian 12

[redrubytech]

Bump. still same issue on Ubuntu 22.04 with Wazuh 4.6

[iXvXi]

Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

This is event is on my host wazuh server running Ubuntu 22.04.3 LTS

[dariosusman]

This is also happening on Debian Bookworm. I've checked with other installations and the hash is correct.

4de429713337777f44e9ef340176c2f1818c2fcfe0204ab27277595ff97dab77  /bin/diff
# sha256sum /usr/bin/diff
4de429713337777f44e9ef340176c2f1818c2fcfe0204ab27277595ff97dab77  /usr/bin/diff

Relevant Wazuh/OSSEC log:

"full_log": "Trojaned version of file '/usr/bin/diff' detected. Signature used: 'bash|^/bin/sh|file\\.h|proc\\.h|/dev/[^n]|^/bin/.*sh' (Generic).", "decoder": {"name": "rootcheck"}, "data": {"title": "Trojaned version of file detected.", "file": "/usr/bin/diff"}, "location": "rootcheck"

I'm currently using Wazuh 4.7.0.

[duckietm]

same here 4.7.0. with ubuntu 22.04

Trojaned version of file '/bin/diff' detected. Signature used: 'bash|^/bin/sh|file.h|proc.h|/dev/[^n]|^/bin/.*sh' (Generic).

[atomicturtle]

This is corrected in the main branch, to update you can use:

1. OUM users: update your signatures with: oum -u
2. Manual: copy https://github.com/ossec/ossec-hids/blob/master/src/rootcheck/db/rootkit_trojans.txt to /var/ossec/etc/shared/ on your hub server.
3. upgrade from source out of master