Strange tripwire behaviour
Jeff Kinz
jkinz at kinz.org
Wed Mar 30 15:18:03 UTC 2005
On Wed, Mar 30, 2005 at 08:54:03AM -0500, Scot L. Harris wrote:
> On Wed, 2005-03-30 at 08:31, Tony Molloy wrote:
> > On Wednesday 30 March 2005 14:18, Scot L. Harris wrote:
> > > On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> > > > Modified object name: /usr/sbin/tripwire
> > > > Now a similar change occured on all 20 of my servers last night so I
> > > > don't think it was a compromise. At least I hope not.
> > >
> > > Most likely prelink ran and modified the binaries. First time I had
> > > tripwire reported like this I was in a mild panic thinking the worse.
> > > But it turned out to be prelink doing its thing via the cron job.
> >
> > Thank's I hadn't thought of that. As you said I was in a mild panic first
> > but then said a hacker couldn't have got at all the servers which are on
> > different vlans. Funny that it never happened before though.
>
> If these were long running installations of tripwire then you need to
> look closer, I would expect the prelink issue to show up by the next day
> after installation, not weeks or months down the road.
>
> You should run the rpm verify option to check the tripwire binaries if
> they were installed from rpm. rpm is prelink aware and will confirm if
> the binary has been changed or not by something other than prelink.
>
> And don't discount a hacker moving very quickly through a network. If
> they found an exploit that let them in on one system and all your
> systems are identical then they are all vulnerable. Don't panic yet
> though, try to verify that it was prelink that did this.
Scott is correct on both counts, prelink is the likely culprit, but
don't discard the idea of a very thorough intrusion effort.
In addition to the rpm check, you should download and run one of
rootkit checkers that actively scan your system for know "root kits".
Here's a nice, short intro with download pointers:
http://www.brunolinux.com/07-Security/Rootkit_Checkers.html
Why this in addition to the rpm check? Because your rpms may have also
been modified and tripwire adjusted to not detect it. (If you can get
your rpm's off a cd-rom or from a reliable web site then you can rely on
them but don't use the local copies on your hard drive.)
--
"First top post!" http://slashrot.rot
http://kinz.org
http://www.fedoranews.org
Jeff Kinz, Emergent Research, Hudson, MA.
More information about the users
mailing list