Security Incidents mailing list archives
Re: Intresting problem concerning libresolv.so.2
From: Paul Gear <paul () gear dyndns org>
Date: Sat, 19 Apr 2003 13:53:21 +1000
Sam Evans wrote:
I've run into an interesting dilema with a machine that's running Solaris 8.. It would appear as if the /usr/lib/libresolv.so.2 file changed, but didn't really change.. What I mean is this.. We run Tripwire on this box, and Tripwire reported that the hash sums were different than what it expected. Everything else was the same (timestamps, inode, block values, etc). This would indicate that the contents changed inside the file.. What's also interesting is that this is the *only* file that was listed in the tripwire report for the day. Nothing else changed (at least according to Tripwire).
I've had this happen to me on Linux. Only one file had changed, and the changes seemed to be random. I compared the file with a known good copy and the changes certainly were not trojans or anything like that. Most things worked, but occasionally i'd get freezing or crashes.
I asked for suggestions on this list, and the main ones were faulty motherboard and/or RAM. It turned out to be a failing disk in the software RAID set: when i removed the faulty disk from the RAID set, everything worked fine. I had to work out which disk was bad through trial and error: i rebooted with one disk disconnected and tripwire didn't complain, and with the other one, tripwire found multiple bad checksums.
I think it less likely that a Sun (presumably with SCSI disk?) would exhibit this behaviour without at least providing some clue in the hardware diagnostics, but it is possible.
Paul ----------------------------------------------------------------------------Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- Intresting problem concerning libresolv.so.2 Sam Evans (Apr 17)
- Re: Intresting problem concerning libresolv.so.2 Kevin Reardon (Apr 19)
- Re: Intresting problem concerning libresolv.so.2 Paul Gear (Apr 21)
- Re: Intresting problem concerning libresolv.so.2 Paul Gear (Apr 19)
- Re: Intresting problem concerning libresolv.so.2 Kevin Reardon (Apr 19)