Strange tripwire behaviour
molloyt at keano.csis.ul.ie
Wed Mar 30 13:31:05 UTC 2005
On Wednesday 30 March 2005 14:18, Scot L. Harris wrote:
> On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> > Hi All,
> > I run tripwire each night on all my servers to check for file
> > changes. This morning I noticed something strange. On this server
> > tripwire was installed on 26th Nov last.
> > [root at keano ~]# rpm -qa --last | grep tripwire
> > tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50
> > 2004
> > Now for some reason when it was run last night the following changes
> > had occured to the tripwire executable. Changes to the Inode Number,
> > the block count, the CRC32 and MD5 checksums.
> > Modified object name: /usr/sbin/tripwire
> > Now a similar change occured on all 20 of my servers last night so I
> > don't think it was a compromise. At least I hope not.
> > Any ideas.
> Most likely prelink ran and modified the binaries. First time I had
> tripwire reported like this I was in a mild panic thinking the worse.
> But it turned out to be prelink doing its thing via the cron job.
Thank's I hadn't thought of that. As you said I was in a mild panic first
but then said a hacker couldn't have got at all the servers which are on
different vlans. Funny that it never happened before though.
Dept. of Comp. Sci.
University of Limerick
More information about the users