Scot L. Harris wrote:
How long had tripwire been running prior to this event? Prelink caused me a fit once on a new system I had setup. The next morning it looked like everything had been compromised.
Since September or so.
I believe you can use rpm to validate the files on your system. rpm is prelink aware. Check the verify option of rpm. If that shows things don't match up then you have a system that may have been compromised.
I'll take a look into that. What is 'prelink'?
Because it is reporting huge numbers of files on your system I am thinking this is due to prelinking. I suspect that all the files reported are executables and not text config file.
Most are executables, some libraries as well (in /usr/lib, openoffice, a bunch of others).
-- ------------------------------------------------------------------------------- "The two most common things in the | Bill Perkins universe are Hydrogen and Stupidity." | perk@xxxxxxx | programmer-at-large F. Zappa | ALL assembly languages done here. -------------------------------------------------------------------------------
