yes, will try it out later today! thanks! On Tue, May 18, 2010 at 7:01 AM, Daniel Cid <daniel....@gmail.com> wrote:
> Hi Charlie, > > Thanks! Just fixed on the latest snapshot: > > http://www.ossec.net/files/snapshots/ > > Can you give it a try? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, May 14, 2010 at 3:58 PM, Charlie <cmee...@gmail.com> wrote: > > :~$ strings /bin/login | grep -E > > 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' > > /bin/bash > > /bin/bash > > > > On Fri, May 14, 2010 at 12:51 PM, Daniel Cid <daniel....@gmail.com> > wrote: > >> > >> Hey, > >> > >> Yes, it seems a false positive. Can someone with this problem run > >> > >> strings /bin/login | grep -E > >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' > >> > >> That will show us which part of the signature is wrong. > >> > >> Thanks, > >> > >> -- > >> Daniel B. Cid > >> dcid ( at ) ossec.net > >> > >> On Wed, May 12, 2010 at 1:42 PM, grape <st...@nugoat.com> wrote: > >> > I had the same alert as you did. Found the following thread: > >> > http://art.ubuntuforums.org/showthread.php?t=1465667 > >> > Hope it helps. > >> > > >> > Steve > >> > > >> > On May 3, 1:43 pm, Charlie <cmee...@gmail.com> wrote: > >> >> anyone else seeing this? > >> >> > >> >> Received From: Nyar->rootcheck > >> >> Rule: 510 fired (level 7) -> "Host-based anomaly detection event > >> >> (rootcheck)." > >> >> Portion of the log(s): > >> >> > >> >> Trojaned version of file '/bin/login' detected. Signature used: > >> >> 'bash|elite|SucKIT|xlogin|vejeta|porcao|lets_log|sukasuk' (Generic). > >> > > > > > >
