Trojaned version of file "egrep" detected by OSSEC HIDS

Question

I have installed the latest stable version of OSSEC (2.8.1), and I have also enabled email notifications and today I got this alert through email:

OSSEC HIDS Notification.
2015 Apr 03 17:40:26

Received From: Bath-Towel->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

Trojaned version of file '/bin/egrep' detected. Signature used: 'bash|^/bin/sh|file\.h|proc\.h|/dev/|^/bin/.*sh' (Generic).



 --END OF NOTIFICATION

Is this something to worry about, and if so then what should I do about it?

Information Update:

This is the contents of the file /bin/egrep:

#!/bin/bash
grep=grep
case $0 in
  */*)
    dir=${0%/*}
    if test -x "$dir/grep"; then
      PATH=$dir:$PATH
      grep=grep
    fi;;
esac
exec $grep -E "$@"

OS Information:

Description:    Ubuntu 14.10
Release:    14.10

score 2 · Accepted Answer · answered Apr 03 '15 at 19:14

I have OSSEC installed on some 14.04 servers, but I never got such notification.

It turns out that until Ubuntu 14.04 /bin/egrep is an ELF executable, but in 14.10 and later it is a shell script. Probably OSSEC was not updated yet to reflect this change.

Trojaned version of file "egrep" detected by OSSEC HIDS

1 Answers1