Scot L. Harris wrote:
On Wed, 2005-10-05 at 17:35, Bill Perkins wrote:
After downloading and installing gnome-pkgview and gnome-common (which pkgview needed) tripwire started complaining about a whole bunch of files that had suddenly changed checksums, and in many cases, the sizes of the files as well, including tripwire itself. Did I just get zapped by something nasty, or does tripwire sometimes get a little confused?
Where the files all part of gnome-common? Did you update tripwire after you upgraded gnome-common? When did tripwire report a violation?
No, very few of them were part of gnome-common
Three possibilities. One, tripwire ran at it's usual time and reported the changed files which you upgraded.
It did, with a whole bunch more.
Two, if you updated tripwire after doing the upgraded prelink probably ran later than night and modified the updated files you installed via gnome-common. Tripwire then reported the differences.
Haven't upgraded tripwire since installing it. Looks like the tripwire rpm gets compromised as well, through yum (yum erase tripwire; yum install tripwire yields a different tripwire md5 each time. Very strange, different from the one on backup.)
Third, if neither one or two are possibilities then you need to look at the particular files being reported. You might have been hacked.
There is a ton of files, most of which have nothing to do with gnome-common or gnome-pkgview, both of which were installed just prior to this. I also added the livna repo (per instructions from some yum FAQ) just prior to this.