Security Incidents mailing list archives
Re: Possible tirpwire false alarm?
From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Mon, 15 Oct 2001 13:13:28 -0400 (EDT)
On Mon, 15 Oct 2001, Sebastian Ip wrote:
I ran md5sum on my own workstation the firewall and a thrid mandrake 8.1 install that my housemate just installed yesterday night i did it as soon as he installed it so it's pretty much 99% trusted. And the md5sums came back the same each time.
does rpm use open() on the file or read() to calculate? what about md5sum,
read() or open()? look into L5, which uses MD5 sums as one of its fields,
but uses open(). a kernel module to redirect read() differently than
open() calls could fool older versions of tripwire (i don't recall what
version you said you were using). this was discussed in phrack some years
ago.
just a thought.
____________________________
jose nazario jose () cwru edu
PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
PGP key ID 0xFD37F4E5 (pgp.mit.edu)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Jose Nazario (Oct 15)
- Re: Possible tirpwire false alarm? [incidents] Stephen W. Thompson (Oct 15)
- Re: Possible tirpwire false alarm? ksemat (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Message not available
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 16)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)