|
-
February 18th, 2003, 12:22 PM
#1
Member
-
February 18th, 2003, 01:49 PM
#2
Did you install Tripwire before or after you did all those changes?
Did you do a redhat update? Did the Red Hat Update perhaps update those files?
Do you have other logs like /var/logs that might indicate a new user appearing?
Have you checked to see if any user logged on at a time you didn't expect?
Have you checked passwd and shadow to see if there are any new users?
-
February 18th, 2003, 09:34 PM
#3
Member
1> Tripwwire was installed before those changes...(Like 2 monthes ago when i installed linux it was like the secind thing i installed)
2>YES i did a REDHAT update. I update as soon as a new patch comes out...And there was some on Friday and Saturday, i think PAM was one of them this weekend.
3>I have checked /var/log messages but cant see any other users login in except for me SU
to Root. Session opened for user root by Mike(Uid=500)
4>I DELETED and CREATED a USER on Saturday.
-
February 18th, 2003, 09:50 PM
#4
Create a boot disk (cdrom or disk) with at least static ls, ps, netstat, cat, lsof, md5, etc (from a machine other than this one, and you want these binaries to be static not dynamic (your libraries could be corrupt too is why)). Boot from it and mount your harddrive, THEN check...if you have been rootkitted you can't trust anything on your box...
/nebulus
If I remember correctly, tripwire creates md5 hashes (amoung other things) of your binaries...have you tried comparing the md5 hash of your current binaries versus what tripwire had stored?
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 18th, 2003, 10:48 PM
#5
Member
I searched on GOOGLE for "REDHAT UPDATE /bin/ls changes"
and got back:
http://www.google.com/search?q=Redha...chnges+/bin/ls
And then i checked /var/log/rpmpkgs and looked for fileutils and found that i have fileutils-4.1-10.1.i386.rpm and fileutils-4.1.7-4.i386.rpm installed. Would that have caused the changes.Casue i think i remember seeing that as one thing i was updating.
http://online.securityfocus.com/archive/1/260936
-
February 18th, 2003, 11:23 PM
#6
I am not familiar enough with RedHat to answer that question specifically, but I can say that almost certiainly, if a binary is patched, tripwire will report the binary as having changed and will throw out alerts (think about it, the old binary is replaced with a new patched one that will have a different md5 hash). So if you patched any of the commands that tripwire reported as having changed, that would explain the messages. If you find that all of the patches that were installed cover the changed files, you need to update your tripwire database to rid yourself of the messages.
There should be logs associated with those patch installs somewhere (sorry wish I could be more helpful, but I am more of a Sun guru than linus) that tell you exactly what was changed...
good luck,
nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Have a look at these tripwire logs...
)
Reply With Quote
