Hi All,
I run tripwire each night on all my servers to check for file changes.
This morning I noticed something strange. On this server tripwire was
installed on 26th Nov last.
[root@keano ~]# rpm -qa --last | grep tripwire
tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50 2004
Now for some reason when it was run last night the following changes had
occured to the tripwire executable. Changes to the Inode Number, the
block count, the CRC32 and MD5 checksums.
Modified object name: /usr/sbin/tripwire
Property: Expected Observed
------------- -----------
Object Type Regular File Regular File
Device Number 2053 2053
* Inode Number 681532 681460
Mode -rwxr-xr-x -rwxr-xr-x
Num Links 1 1
UID root (0) root (0)
GID root (0) root (0)
Size 1281752 1281752
Modify Time Sun Nov 30 20:21:01 2003 Sun Nov 30 20:21:01
2003
* Blocks 2520 2512
* CRC32 CpVcDQ C/vQ0R
* MD5 CFFTZS34tssRvsudSHxqNn
AOg63JUMfON3CDJOE/e2sz
Now a similar change occured on all 20 of my servers last night so I don't
think it was a compromise. At least I hope not.
Any ideas.
Regards,
Tony
--
Tony Molloy.
Dept. of Comp. Sci.
University of Limerick
