*moved* Have a look at these tripwire logs...

Whats up....

I was going through my TRIPWIRE logs and noticed a few things that caught my eye and am sort of worried, i have been hacked. Here is all the stuff i have been doing just soo you know just in case these things could have made my logs look like someone has hacked my box.Im just trying to give you as much info as possible:

1>I installed SNORT with mysql+acid+apache+webmin+netssl --on Saturday(got it working :D )

2>I updated my linux machine with the recent updates. I Cant rmeber them exactly PAM was one of them and a few other recent ones that were just released. From Redhat

3>I deleted and created USER.

4>I have ran chkrootkit and it fond nothng but a suspicious directory reagarding netssl but nothng other than that.("/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/SSLeay/.packlist")

5>I ran a port scan yesterday and all ports were filtered.

#####If you need to know my TRIPWIRE configuration is installed it and configured it exactly
from here: http://www.linuxsecurity.com/feature...story-81.html.

If you need any other info i can post it...Sorry for the long log file but didnt want to leave anything out...if someone could browse throught it. My main concern was things like:

Modified
/bin/ls

Modified
/bin/chmod
Stuff like that.... got me shaking...

I have attached it in .TXT but if you change it to .DOC its nicer to look at :cool:

Did you install Tripwire before or after you did all those changes?

Did you do a redhat update? Did the Red Hat Update perhaps update those files?

Do you have other logs like /var/logs that might indicate a new user appearing?

Have you checked to see if any user logged on at a time you didn't expect?

Have you checked passwd and shadow to see if there are any new users?

1> Tripwwire was installed before those changes...(Like 2 monthes ago when i installed linux it was like the secind thing i installed)

2>YES i did a REDHAT update. I update as soon as a new patch comes out...And there was some on Friday and Saturday, i think PAM was one of them this weekend.

3>I have checked /var/log messages but cant see any other users login in except for me SU
to Root. Session opened for user root by Mike(Uid=500)


4>I DELETED and CREATED a USER on Saturday.

Create a boot disk (cdrom or disk) with at least static ls, ps, netstat, cat, lsof, md5, etc (from a machine other than this one, and you want these binaries to be static not dynamic (your libraries could be corrupt too is why)). Boot from it and mount your harddrive, THEN check...if you have been rootkitted you can't trust anything on your box...

/nebulus

If I remember correctly, tripwire creates md5 hashes (amoung other things) of your binaries...have you tried comparing the md5 hash of your current binaries versus what tripwire had stored?

I searched on GOOGLE for "REDHAT UPDATE /bin/ls changes"
and got back:
http://www.google.com/search?q=Redha...chnges+/bin/ls

And then i checked /var/log/rpmpkgs and looked for fileutils and found that i have fileutils-4.1-10.1.i386.rpm and fileutils-4.1.7-4.i386.rpm installed. Would that have caused the changes.Casue i think i remember seeing that as one thing i was updating.

http://online.securityfocus.com/archive/1/260936

I am not familiar enough with RedHat to answer that question specifically, but I can say that almost certiainly, if a binary is patched, tripwire will report the binary as having changed and will throw out alerts (think about it, the old binary is replaced with a new patched one that will have a different md5 hash). So if you patched any of the commands that tripwire reported as having changed, that would explain the messages. If you find that all of the patches that were installed cover the changed files, you need to update your tripwire database to rid yourself of the messages.

There should be logs associated with those patch installs somewhere (sorry wish I could be more helpful, but I am more of a Sun guru than linus) that tell you exactly what was changed...

good luck,

nebulus