Security Incidents mailing list archives

Re: Possible tirpwire false alarm?

From: Sebastian Ip <9scki () qlink queensu ca>
Date: Mon, 15 Oct 2001 12:22:37 -0400

I am not running any backup software.

I ran md5sum on my own workstation the firewall and a thrid mandrake 8.1 
install that my housemate just installed yesterday night i did it as soon as 
he installed it so it's pretty much 99% trusted. And the md5sums came back 
the same each time.

Rerunning results in the same warnings. And today i have a few more files 
also in /bin changed plus /etc/profile.d changed but no file /etc/profile.d 
has been changed. Again the new changes shows no differences in md5sum on any 
of the 3 linux boxes here. One of which is a trusted fresh install.

So i dont' really know what's going on. Waht i want to ask is if it is 
possible that there is a on going disk failure and blocks are moving around 
and tripwire's detecting that? Cause that drive's about 3 years old and it's 
been up a long long time.

thanks for the quick replies

Sebastian Ip

On Monday 15 October 2001 11:37, Berend De Schouwer wrote:

On Mon, 2001-10-15 at 14:25, Sebastian Ip wrote:

Dear experienced security people

I am in a fix and i need an answer really quick....

I woke up today checked my personal linux firewall logs.. noticed that
over night tirpwire results were in my mail box.. Checked it.. and
ALARM!! ls has been modified along with gunzip, gzip, zcat and cpio. All
of them in /bin.


Step 1: stay calm :)

What changed?  sums, permissions, or timestamps?  If you run tripwire
again, have the same files changed?  If its different files, maybe you
have flaky hardware.

Thanks

Sebastian Ip

-------------------------------------------------------------------------
--- This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)
  - Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
    - Re: Possible tirpwire false alarm? Jose Nazario (Oct 15)
    - Re: Possible tirpwire false alarm? [incidents] Stephen W. Thompson (Oct 15)
    - Re: Possible tirpwire false alarm? ksemat (Oct 15)
- Message not available
  - Re: Possible tirpwire false alarm? Sebastian Ip (Oct 16)