On Sun, 2005-08-28 at 17:43, Webmaster wrote: > We have not been able to determine how a hacker was eble to crack one of > our hosts > and deposit binaries on all the hosts in our network (all hosts are FC3). > > A tripwire report shows the following binaries as being modified. We > think this is part > of "ethereal," an IP packet sniffer. Because so many files have been > modifed (these are just > the ones in /usr/bin), we decided to wipe the system and install FC4. > chkrootkit.0.45 sometimes > reports that an LKM trojan has been installed, but it does not report a > problem each time it is > invoked. Could you be seeing a problem with prelink? I don't believe tripwire is prelink aware, as such it would report differences if you ran tripwire prior to prelink doing it's thing. If that is the case then you probably did not have a security event. I suspect this because of the files you listed. Probably no reason for a hacker to modify files that are used to convert various file types to/from pbm format. Where there any changes to configuration files or just binary executables? chkrootkit has a problem with false positives at times similar to what you mentioned.
