*moved* Have a look at these tripwire logs...
Results 1 to 6 of 6

Thread: *moved* Have a look at these tripwire logs...

  1. #1

    Unhappy Have a look at these tripwire logs...

    Whats up....

    I was going through my TRIPWIRE logs and noticed a few things that caught my eye and am sort of worried, i have been hacked. Here is all the stuff i have been doing just soo you know just in case these things could have made my logs look like someone has hacked my box.Im just trying to give you as much info as possible:

    1>I installed SNORT with mysql+acid+apache+webmin+netssl --on Saturday(got it working )

    2>I updated my linux machine with the recent updates. I Cant rmeber them exactly PAM was one of them and a few other recent ones that were just released. From Redhat

    3>I deleted and created USER.

    4>I have ran chkrootkit and it fond nothng but a suspicious directory reagarding netssl but nothng other than that.("/usr/lib/perl5/site_perl/5.6.1/i386-linux/auto/Net/SSLeay/.packlist")

    5>I ran a port scan yesterday and all ports were filtered.

    #####If you need to know my TRIPWIRE configuration is installed it and configured it exactly
    from here: http://www.linuxsecurity.com/feature...story-81.html.

    If you need any other info i can post it...Sorry for the long log file but didnt want to leave anything out...if someone could browse throught it. My main concern was things like:

    Modified
    /bin/ls

    Modified
    /bin/chmod
    Stuff like that.... got me shaking...

    I have attached it in .TXT but if you change it to .DOC its nicer to look at

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Did you install Tripwire before or after you did all those changes?

    Did you do a redhat update? Did the Red Hat Update perhaps update those files?

    Do you have other logs like /var/logs that might indicate a new user appearing?

    Have you checked to see if any user logged on at a time you didn't expect?

    Have you checked passwd and shadow to see if there are any new users?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    1> Tripwwire was installed before those changes...(Like 2 monthes ago when i installed linux it was like the secind thing i installed)

    2>YES i did a REDHAT update. I update as soon as a new patch comes out...And there was some on Friday and Saturday, i think PAM was one of them this weekend.

    3>I have checked /var/log messages but cant see any other users login in except for me SU
    to Root. Session opened for user root by Mike(Uid=500)


    4>I DELETED and CREATED a USER on Saturday.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Create a boot disk (cdrom or disk) with at least static ls, ps, netstat, cat, lsof, md5, etc (from a machine other than this one, and you want these binaries to be static not dynamic (your libraries could be corrupt too is why)). Boot from it and mount your harddrive, THEN check...if you have been rootkitted you can't trust anything on your box...

    /nebulus

    If I remember correctly, tripwire creates md5 hashes (amoung other things) of your binaries...have you tried comparing the md5 hash of your current binaries versus what tripwire had stored?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    I searched on GOOGLE for "REDHAT UPDATE /bin/ls changes"
    and got back:
    http://www.google.com/search?q=Redha...chnges+/bin/ls

    And then i checked /var/log/rpmpkgs and looked for fileutils and found that i have fileutils-4.1-10.1.i386.rpm and fileutils-4.1.7-4.i386.rpm installed. Would that have caused the changes.Casue i think i remember seeing that as one thing i was updating.

    http://online.securityfocus.com/archive/1/260936

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am not familiar enough with RedHat to answer that question specifically, but I can say that almost certiainly, if a binary is patched, tripwire will report the binary as having changed and will throw out alerts (think about it, the old binary is replaced with a new patched one that will have a different md5 hash). So if you patched any of the commands that tripwire reported as having changed, that would explain the messages. If you find that all of the patches that were installed cover the changed files, you need to update your tripwire database to rid yourself of the messages.

    There should be logs associated with those patch installs somewhere (sorry wish I could be more helpful, but I am more of a Sun guru than linus) that tell you exactly what was changed...

    good luck,

    nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •