LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   cracked or not cracked (tripwire & chrootkit) (http://www.linuxquestions.org/questions/linux-security-4/cracked-or-not-cracked-tripwire-and-chrootkit-316716/)

ddaas 04-24-2005 03:06 PM

cracked or not cracked (tripwire & chrootkit)
 
I ran tripwire --init after I installed my FC3. After that I've made a lot of updates with synaptic , yup. Now I checked my system with tripwire --check. I am concerned about the output. Very sensitive files have been changed. I don't if they where replaced by yum or synaptic. I 've just update/remove/add daemons like httpd, named etc and not /sbin/adduser etc.
I don't know if I can trust this host again.

Here are some output from tripwire:

Modified object name: /usr/sbin/groupmod

Property: Expected Observed
------------- ----------- -----------
* Inode Number 672362 436533
* Size 25884 26000
* Modify Time Thu 21 Oct 2004 08:35:13 PM CEST
Sat 04 Dec 2004 02:59:45 AM CET
* Blocks 64 56
* CRC32 AnpqbV D8Vfdt
* MD5 AYpl9SQwEMxp+Vmd43r9LJ BQTDdEraBtrFNFP689S3Bc


Modified object name: /usr/sbin/lsof

Property: Expected Observed
------------- ----------- -----------
* Inode Number 435720 428789
* Size 107352 107320
* Modify Time Fri 30 Jul 2004 06:52:50 PM CEST
Wed 23 Mar 2005 01:19:25 PM CET
* Blocks 232 224
* CRC32 CVgyaD DQ739X
* MD5 D2v5xSbiRKN0a4J2JQDI0b DN/RjvvSHOBA1zs2JgC11n


There are a lot of such modifications.


I am also concerned about ttys.

Tripwire says:
Rule Name: System boot changes (/dev/tty5)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------

Modified object name: /dev/tty5

Property: Expected Observed


(all the tty from 1 to 5 were modified).

chkrootkit:
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2791 tty1 /sbin/mingetty tty1
! root 2804 tty2 /sbin/mingetty tty2
! root 2806 tty3 /sbin/mingetty tty3
! root 2820 tty4 /sbin/mingetty tty4
! root 2833 tty5 /sbin/mingetty tty5


How are these ttys modified?

There is no suspect activity, unknown service or open ports etc.

What do you thing? How can I check further for a compromise??

johnnydangerous 04-27-2005 08:29 AM

maybe check with chkrootkit .. don't know I have also tripwire but guess never checked with it but anti-rootkit is good for a cron-job


All times are GMT -5. The time now is 09:33 PM.