Wire tripped

Scot L. Harris webid at cfl.rr.com
Thu Oct 6 12:33:20 UTC 2005 

On Thu, 2005-10-06 at 00:43, Bill Perkins wrote:
> Scot L. Harris wrote:
> > On Wed, 2005-10-05 at 17:35, Bill Perkins wrote:
> > 
> >>After downloading and installing gnome-pkgview and gnome-common (which 
> >>pkgview needed) tripwire started complaining about a whole bunch of 
> >>files that had suddenly changed checksums, and in many cases, the sizes 
> >>of the files as well, including tripwire itself. Did I just get zapped 
> >>by something nasty, or does tripwire sometimes get a little confused?
> > 
> > 
> > Where the files all part of gnome-common?  Did you update tripwire after
> > you upgraded gnome-common? When did tripwire report a violation?  
> 
> No, very few of them were part of gnome-common
> 
> > Three possibilities.  One, tripwire ran at it's usual time and reported
> > the changed files which you upgraded.
> 
> It did, with a whole bunch more.
> 
> > Two, if you updated tripwire after doing the upgraded prelink probably 
> > ran later than night and modified the updated files you installed via
> > gnome-common.  Tripwire then reported the differences.
> 
> Haven't upgraded tripwire since installing it. Looks like the tripwire 
> rpm gets compromised as well, through yum (yum erase tripwire; yum 
> install tripwire yields a different tripwire md5 each time. Very 
> strange, different from the one on backup.)
> 
> > Third, if neither one or two are possibilities then you need to look at
> > the particular files being reported.  You might have been hacked. 
> 
> There is a ton of files, most of which have nothing to do with 
> gnome-common or gnome-pkgview, both of which were installed just prior 
> to this. I also added the livna repo (per instructions from some yum 
> FAQ) just prior to this.

How long had tripwire been running prior to this event?  Prelink caused
me a fit once on a new system I had setup.  The next morning it looked
like everything had been compromised.

I believe you can use rpm to validate the files on your system.  rpm is
prelink aware.  Check the verify option of rpm.  If that shows things
don't match up then you have a system that may have been compromised.

Because it is reporting huge numbers of files on  your system I am
thinking this is due to prelinking.  I suspect that all the files
reported are executables and not text config file.

More information about the fedora-list mailing list