Bugtraq mailing list archives
Re: Strange changes - any ideas?
From: avalon () coombs anu edu au (Darren Reed)
Date: Tue, 11 Jun 1996 00:23:44 +1000
In some mail from Fred Cohen, sie said:
We run a change-controlled environment, which means that we should be aware of all changes. To crosscheck this, we regularly do automated change detection. This morning, I made some minor changes to some user areas and ran the change control checks only to find the changes listed below. (Here are some select extracts)
[...]
Note that while the content changed, none of the times changed, the space remained the same, etc.
[...]
Here's one where everything indicates a change, but the content is unchanged! Sort of hard to believe - there were several of these. These changes would normally indicate a massive corruption, a disk crash, total system collapse, or takeover by bad-people. I checked the log files that would indicate any intrusions and found nothing to indicate any out-of-the-ordinary usage. I found an apparent file in a directory listing - but when I tried to see it, it did not actually exist. I did a cat of /etc/motd (described above) and found that it had a partial syslog entry appended to it - very strange stuf considering that the MD5 checksum was unchanged!
[...] I think the obvious thing would have been to find the backup tapes and use "cmp -l" on the binary files. Or something similar. You might also want to check your sanity checking binaries, kernel and database, just to be sure. Also, I'm pretty sure that funny fsck runs won't get logged.
Current thread:
- Re: brute force, (continued)
- Re: brute force Tom Fitzgerald (Jun 05)
- Re: brute force Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Alan Brown (Jun 06)
- Re: Linux rlogin hole with libc 5.x Pablo Idiaquez (Jun 06)
- help TaeJin Hong (Jun 07)
- HP-UX B.10.01 vulnerability Aleph One (Jun 07)
- Strange changes - any ideas? Fred Cohen (Jun 08)
- Re: Strange changes - any ideas? dsiebert () icaen uiowa edu (Jun 09)
- Re: Strange changes - any ideas? Andrew V. Kovalev (Jun 09)
- Digital Unix, daemons and the SIA authentication library. Paul C Leyland (Jun 10)
- Re: Strange changes - any ideas? Darren Reed (Jun 10)
- Vulnerability Database Christopher Klaus (Jun 10)
- Re: brute force Ze'ev Maor (Jun 04)
- Re: brute force simes () tcp co uk (Jun 04)
- Re: Not so much a bug as a warning of new brute force attack Paul D. Robertson (Jun 09)