Strange tripwire behaviour
Tony Molloy
molloyt at keano.csis.ul.ie
Wed Mar 30 13:31:05 UTC 2005
On Wednesday 30 March 2005 14:18, Scot L. Harris wrote:
> On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> > Hi All,
> >
> > I run tripwire each night on all my servers to check for file
> > changes. This morning I noticed something strange. On this server
> > tripwire was installed on 26th Nov last.
> >
> > [root at keano ~]# rpm -qa --last | grep tripwire
> > tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50
> > 2004
> >
> > Now for some reason when it was run last night the following changes
> > had occured to the tripwire executable. Changes to the Inode Number,
> > the block count, the CRC32 and MD5 checksums.
> >
> >
> > Modified object name: /usr/sbin/tripwire
> >
> > Now a similar change occured on all 20 of my servers last night so I
> > don't think it was a compromise. At least I hope not.
> >
> > Any ideas.
>
> Most likely prelink ran and modified the binaries. First time I had
> tripwire reported like this I was in a mild panic thinking the worse.
> But it turned out to be prelink doing its thing via the cron job.
>
> --
Scott,
Thank's I hadn't thought of that. As you said I was in a mild panic first
but then said a hacker couldn't have got at all the servers which are on
different vlans. Funny that it never happened before though.
Tony
--
Tony Molloy.
Dept. of Comp. Sci.
University of Limerick
More information about the fedora-list
mailing list