Security Incidents mailing list archives
Re: Possible tirpwire false alarm?
From: Sebastian Ip <9scki () qlink queensu ca>
Date: Mon, 15 Oct 2001 17:48:16 -0400
I went and aquired a copy of tom's rescue floppy and ran checks after booting off it.. Appears that everything is just fine. On reboot however my harddisk made some "dying" noise ...that's bad. I am hoping this is a false alarm caused by something. I'll monitor more closely what happens in the next few weeks and when the next redhat comes out i'll see about at least a clean reinstall and prehaps aquire a new harddisk as well. Thanks for all the help guys. If anyone else have more ideas for checking why tirpwire does say there were changes please email me it's still not a totally "cleared" case in my mind. I have the nagging feeling I might be wrong about the system being clean. Cheers Sebastian Ip If
i would do this, mount your redhat cd, mount the stage2.img file in the /mnt/cdrom/RedHat/base/stage2.img using the command: mount -o loop -t ext2 /mnt/cdrom/RedHat/bash/stage2.img /mnt/floppy then use the staticly compiled rpm in the usr/bin directory there to verifty the packages on the cd, like this /mnt/floppy/usr/bin/rpm -Vp /mnt/cdrom/RedHat/RPMS/gzip-*.rpm , if you get just changed md5sums (signified by a 5) then your files are just corrupt, and not trojaned. This approach wont be immune to a malicious kernel module, so you might wanna boot into rescue mode on the cd and try it if the machine can be shut down
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Re: Possible tirpwire false alarm? Jose Nazario (Oct 15)
- Re: Possible tirpwire false alarm? [incidents] Stephen W. Thompson (Oct 15)
- Re: Possible tirpwire false alarm? ksemat (Oct 15)
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 15)
- Message not available
- Re: Possible tirpwire false alarm? Sebastian Ip (Oct 16)
- Re: Possible tirpwire false alarm? Berend De Schouwer (Oct 15)