Re: Possible tirpwire false alarm? [incidents]

["Stephen W. Thompson" <thompson () pobox upenn edu>]

Sebastian, my thoughts for your problem include:

1. Consider the possibility that a malicious loadable kernel module
   has been loaded which directs most integrity tools (md5sum) to the
   original file but for some reason (thankfully!) tripwire still sees
   the changed file.

2. Therefore, consider booting from a safe install (tomsrtbt, trinux,
   pick your favorite tiny OS, or a boot floppy created during your
   original install) prior to running tripwire.  If the last option,
   consider skipping the usual init files with (I think) the kernel
   command line arg 'init': "linux init=/bin/bash"
    (No guarantees -- I'm no linux guru.)

Good luck!

En paz,
Steve

> I am not running any backup software.
>
> I ran md5sum on my own workstation the firewall and a thrid mandrake 8.1 
> install that my housemate just installed yesterday night i did it as soon as 
> he installed it so it's pretty much 99% trusted. And the md5sums came back 
> the same each time.
>
> Rerunning results in the same warnings. And today i have a few more files 
> also in /bin changed plus /etc/profile.d changed but no file /etc/profile.d 
> has been changed. Again the new changes shows no differences in md5sum on any 
> of the 3 linux boxes here. One of which is a trusted fresh install.

[snip]

> > On Mon, 2001-10-15 at 14:25, Sebastian Ip wrote:

> > > I woke up today checked my personal linux firewall logs.. noticed that
> > > over night tirpwire results were in my mail box.. Checked it.. and
> > > ALARM!! ls has been modified along with gunzip, gzip, zcat and cpio. All
> > > of them in /bin.

En paz,
Steve, security analyst

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com