On Wed, 2005-03-30 at 04:55, Tony Molloy wrote: > Hi All, > > I run tripwire each night on all my servers to check for file changes. > This morning I noticed something strange. On this server tripwire was > installed on 26th Nov last. > > [root@keano ~]# rpm -qa --last | grep tripwire > tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50 2004 > > Now for some reason when it was run last night the following changes had > occured to the tripwire executable. Changes to the Inode Number, the > block count, the CRC32 and MD5 checksums. > > > Modified object name: /usr/sbin/tripwire > Now a similar change occured on all 20 of my servers last night so I don't > think it was a compromise. At least I hope not. > > Any ideas. Most likely prelink ran and modified the binaries. First time I had tripwire reported like this I was in a mild panic thinking the worse. But it turned out to be prelink doing its thing via the cron job. -- Scot L. Harris webid@xxxxxxxxxx The most disagreeable thing that your worst enemy says to your face does not approach what your best friends say behind your back. -- Alfred De Musset
