On Thu, 2005-10-06 at 00:43, Bill Perkins wrote:
Scot L. Harris wrote:
On Wed, 2005-10-05 at 17:35, Bill Perkins wrote:
After downloading and installing gnome-pkgview and gnome-common (which pkgview needed) tripwire started complaining about a whole bunch of files that had suddenly changed checksums, and in many cases, the sizes of the files as well, including tripwire itself. Did I just get zapped by something nasty, or does tripwire sometimes get a little confused?
Where the files all part of gnome-common? Did you update tripwire after you upgraded gnome-common? When did tripwire report a violation?
No, very few of them were part of gnome-common
Three possibilities. One, tripwire ran at it's usual time and reported the changed files which you upgraded.
It did, with a whole bunch more.
Two, if you updated tripwire after doing the upgraded prelink probably ran later than night and modified the updated files you installed via gnome-common. Tripwire then reported the differences.
Haven't upgraded tripwire since installing it. Looks like the tripwire rpm gets compromised as well, through yum (yum erase tripwire; yum install tripwire yields a different tripwire md5 each time. Very strange, different from the one on backup.)
Third, if neither one or two are possibilities then you need to look at the particular files being reported. You might have been hacked.
There is a ton of files, most of which have nothing to do with gnome-common or gnome-pkgview, both of which were installed just prior to this. I also added the livna repo (per instructions from some yum FAQ) just prior to this.
How long had tripwire been running prior to this event? Prelink caused me a fit once on a new system I had setup. The next morning it looked like everything had been compromised.
I believe you can use rpm to validate the files on your system. rpm is prelink aware. Check the verify option of rpm. If that shows things don't match up then you have a system that may have been compromised.
Because it is reporting huge numbers of files on your system I am thinking this is due to prelinking. I suspect that all the files reported are executables and not text config file.