Security Incidents mailing list archives
Possible tirpwire false alarm?
From: Sebastian Ip <9scki () qlink queensu ca>
Date: Mon, 15 Oct 2001 08:25:28 -0400
Dear experienced security people I am in a fix and i need an answer really quick.... I woke up today checked my personal linux firewall logs.. noticed that over night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls has been modified along with gunzip, gzip, zcat and cpio. All of them in /bin. So i was like F***!! something's wrong.. But what can be wrong? I didn't do nothing and my firewall blocks everything but sendmail, named and ssh. None of those have any known problems for 7.1 that i haven't patched for. Ok .. save the sendmail local root thing. But i don't have any local users! just me me me! The only problem i can see is that i opened my ftp for one of my friends. But that was restricted to his ip only. And i don't know of any new wu-ftp bug (yes yes i know but i don't usually host ftps). So anyhow i decided not to panic and reinstall from scratch because first of all it's just odd that only ls and a few other file's been changed. Logs shows nothing but those could have been changed. And i have a midterm next week i have to study for. So i found my redhat 7.1 cds found the right rpm extracted the file ls from that on my own workstation and md5sumed the copy on the firewall and the one extracted from the rpm. The results came back the same. Which leaves me with the question. Am i going to have to reinstall? Or is this just an example of how tripwire can screw up royally at a very odd time? So eh if anyone wants to tell me what to do next drop me a line i'll be eternaly grateful. Thanks Sebastian Ip ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Jose Nazario (Oct 15)
- Re: Possible tirpwire false alarm? [incidents] Stephen W. Thompson (Oct 15)
- Re: Possible tirpwire false alarm? ksemat (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Message not available
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 16)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)