Scot L. Harris wrote:
On Wed, 2005-10-05 at 17:35, Bill Perkins wrote:
After downloading and installing gnome-pkgview and gnome-common (which
pkgview needed) tripwire started complaining about a whole bunch of
files that had suddenly changed checksums, and in many cases, the sizes
of the files as well, including tripwire itself. Did I just get zapped
by something nasty, or does tripwire sometimes get a little confused?
Where the files all part of gnome-common? Did you update tripwire after
you upgraded gnome-common? When did tripwire report a violation?
No, very few of them were part of gnome-common
Three possibilities. One, tripwire ran at it's usual time and reported
the changed files which you upgraded.
It did, with a whole bunch more.
Two, if you updated tripwire after doing the upgraded prelink probably
ran later than night and modified the updated files you installed via
gnome-common. Tripwire then reported the differences.
Haven't upgraded tripwire since installing it. Looks like the tripwire
rpm gets compromised as well, through yum (yum erase tripwire; yum
install tripwire yields a different tripwire md5 each time. Very
strange, different from the one on backup.)
Third, if neither one or two are possibilities then you need to look at
the particular files being reported. You might have been hacked.
There is a ton of files, most of which have nothing to do with
gnome-common or gnome-pkgview, both of which were installed just prior
to this. I also added the livna repo (per instructions from some yum
FAQ) just prior to this.
--
-------------------------------------------------------------------------------
"The two most common things in the | Bill Perkins
universe are Hydrogen and Stupidity." | perk@xxxxxxx
| programmer-at-large
F. Zappa | ALL assembly languages done here.
-------------------------------------------------------------------------------
