On Wed, 2005-03-30 at 08:31, Tony Molloy wrote: > On Wednesday 30 March 2005 14:18, Scot L. Harris wrote: > > On Wed, 2005-03-30 at 04:55, Tony Molloy wrote: > > > > > Modified object name: /usr/sbin/tripwire > > > > > > Now a similar change occured on all 20 of my servers last night so I > > > don't think it was a compromise. At least I hope not. > > > > > > Any ideas. > > > > Most likely prelink ran and modified the binaries. First time I had > > tripwire reported like this I was in a mild panic thinking the worse. > > But it turned out to be prelink doing its thing via the cron job. > > > > Scott, > > Thank's I hadn't thought of that. As you said I was in a mild panic first > but then said a hacker couldn't have got at all the servers which are on > different vlans. Funny that it never happened before though. > > Tony I saw this when I first installed tripwire on the systems. After doing the work to get the policy cleaned up and generate a clean database run then next day I saw this happen as prelink runs each night if the default cron job is left in place. If these were long running installations of tripwire then you need to look closer, I would expect the prelink issue to show up by the next day after installation, not weeks or months down the road. You should run the rpm verify option to check the tripwire binaries if they were installed from rpm. rpm is prelink aware and will confirm if the binary has been changed or not by something other than prelink. And don't discount a hacker moving very quickly through a network. If they found an exploit that let them in on one system and all your systems are identical then they are all vulnerable. Don't panic yet though, try to verify that it was prelink that did this. -- Scot L. Harris webid@xxxxxxxxxx You will probably marry after a very brief courtship.
