Possible false positive in Debian Stretch

[KALRONG]

Hi,

I have been receiving the following alert:

Host-based anomaly detection event (rootcheck).
Trojaned version of file '/bin/grep' detected. Signature used: 'bash|givemer|/dev/' (Generic).

I have tested in the server the following command:
strings /bin/grep | grep -E 'bash|givemer|/dev/'

With the result:
/dev/null

I have been looking around worried that may be a hack but so far chkrootkit and other tests doesn't show this positive.

I was wondering if this may be a false positive from ossec side.

Thanks in advance!

[KALRONG]

To give more reasons as why it seems to be a false positive:

root@kserv:/var/ossec/bin# debsums grep
/bin/egrep OK
/bin/fgrep OK
/bin/grep OK
/usr/bin/rgrep OK
/usr/share/doc/grep/copyright OK
/usr/share/locale/de/LC_MESSAGES/grep.mo OK
/usr/share/locale/es/LC_MESSAGES/grep.mo OK
/usr/share/locale/fr/LC_MESSAGES/grep.mo OK
/usr/share/locale/ja/LC_MESSAGES/grep.mo OK
/usr/share/locale/zh_CN/LC_MESSAGES/grep.mo OK
/usr/share/locale/zh_TW/LC_MESSAGES/grep.mo OK

[MagnusMWW]

Very likely a FP. I've checked a few of my own machines:

Archlinux: strings /bin/grep | grep -E 'bash|givemer|/dev/' returns "/dev/null", as in your example from Debian.
Centos7: strings /bin/grep | grep -E 'bash|givemer|/dev/' returns nothing.

Archlinux has grep 2.27, while Centos 7 has 2.20, so likely this is something that exists in newer versions of GNU-grep. I would expect that Stretch has a newer version than Centos 7 as well.

Given that it is a while ago you submitted this, I guess you've already resolved this some way or the other though.

[StasGoshtein]

+1 Debian Stretch, Grep 2.27

[Averroes]

Probably false positive
apt purge grep&&apt clean&&apt install grep
I uninstalled grep (apt purge ) and reinstalled it.

Result:
Same cheksum, same size, same version

md5sum /bin/grep
3ff5cbd47b2c25c9be0e505aefc60cd8 /bin/grep

cat /etc/debian_version
9.1

sudo strings /bin/grep | grep -E 'bash|givemer|/dev/'
/dev/null

[nbuuck]

The pattern in use was introduced in the first commit of rootkit_trojans.txt, 83ecf6c. It is not consistent with the pattern used by chkrootkit, GREP_INFECTED_LABEL="givemer". There's evidence of Gentoo and Ubuntu users encountering this false positive on those distros' user forums.

src/grep.c:2807:          if (stat ("/dev/null", &null_stat) == 0

This was added to grep on 2016-05-01 22:56:39 -0700 in af6af288, impacting systems with grep 2.26 and later.

As grep now legitimately contains a string including the characters /dev/, I think a PR to remove that part of the pattern for this rootcheck is warranted.

ossec-hids/src/rootcheck/db/rootkit_trojans.txt

Line 45 in 1c4e812

grep !bash|givemer|/dev/!