Ver 1.3 finding evidence of itself causing false positive

[evilsibling]

Ran ver1.3 against a Netscaler. The first time it ran it showed "Evidence of compromise found: No" and no other indications of compromise in the output.

However the second time I ran the scanner against the same system it returned "Evidence of compromise found: Yes" and the output showed signs of evidence of NOTROBIN.

The more times I ran ver1.3 against the system the more lines of evidence of NOTROBIN would appear.

All log entried showing evidence of NOTROBIN had a timestamp of the exact day and time I ran the scan, no log entries showing evidence of NOTROBIN prior to the day I ran the scan.

The "evidence" of compromise that it finds looks to be exactly the code of the function 'scan_fs_notrobin()' from the script file ./scanners/fs-paths.sh

Running ver1.2 against the same system showed no signs of compromise.

All of this leads me to the conclusion that ver 1.3 has a bug which is causing false positives.

**********************************************************************
MATCH: blacklisted content '/tmp/.init/httpd'
Found evidence of potential compromise.                               
You should consider performing a forensic investigation of the system.
**********************************************************************
matches for '/tmp/.init/httpd':
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false; for notrobin_path in "${notrobin_paths[@]}"; do     if [ -f "$root_directory/$notrobin_path" ]; then         found=true; report_match "$notrobin_path, known path to NOTROBIN artifact.";     fi; done"
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd"; local found=false"
///var/log/bash.log:Feb 17 04:30:39 <local7.notice> sydalx-dmzns01 bash[13793]: (null) on /dev/pts/0 shell_command="declare -a notrobin_paths; notrobin_paths[0]="/var/nstmp/.nscache/httpd"; notrobin_paths[1]="/tmp/.init/httpd""
Please review the above shell history entries for unexpected activity.
They match signatures commonly associated with post-exploitation;
however, this may overlap with legitimate system administration.
If you recognize the commands as something you typed, then you can probably ignore them.
For example, reviewing '/etc/passwd' to manage users may be valid in your environment.

[williballenthin]

closed in #25