Go Job Hunting at the LQ Job Marketplace
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-24-2005, 03:06 PM   #1
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 455

Rep: Reputation: 30
cracked or not cracked (tripwire & chrootkit)

I ran tripwire --init after I installed my FC3. After that I've made a lot of updates with synaptic , yup. Now I checked my system with tripwire --check. I am concerned about the output. Very sensitive files have been changed. I don't if they where replaced by yum or synaptic. I 've just update/remove/add daemons like httpd, named etc and not /sbin/adduser etc.
I don't know if I can trust this host again.

Here are some output from tripwire:

Modified object name: /usr/sbin/groupmod

Property: Expected Observed
------------- ----------- -----------
* Inode Number 672362 436533
* Size 25884 26000
* Modify Time Thu 21 Oct 2004 08:35:13 PM CEST
Sat 04 Dec 2004 02:59:45 AM CET
* Blocks 64 56
* CRC32 AnpqbV D8Vfdt
* MD5 AYpl9SQwEMxp+Vmd43r9LJ BQTDdEraBtrFNFP689S3Bc

Modified object name: /usr/sbin/lsof

Property: Expected Observed
------------- ----------- -----------
* Inode Number 435720 428789
* Size 107352 107320
* Modify Time Fri 30 Jul 2004 06:52:50 PM CEST
Wed 23 Mar 2005 01:19:25 PM CET
* Blocks 232 224
* CRC32 CVgyaD DQ739X
* MD5 D2v5xSbiRKN0a4J2JQDI0b DN/RjvvSHOBA1zs2JgC11n

There are a lot of such modifications.

I am also concerned about ttys.

Tripwire says:
Rule Name: System boot changes (/dev/tty5)
Severity Level: 100
Modified Objects: 1

Modified object name: /dev/tty5

Property: Expected Observed

(all the tty from 1 to 5 were modified).

The tty of the following user process(es) were not found
in /var/run/utmp !
! root 2791 tty1 /sbin/mingetty tty1
! root 2804 tty2 /sbin/mingetty tty2
! root 2806 tty3 /sbin/mingetty tty3
! root 2820 tty4 /sbin/mingetty tty4
! root 2833 tty5 /sbin/mingetty tty5

How are these ttys modified?

There is no suspect activity, unknown service or open ports etc.

What do you thing? How can I check further for a compromise??
Old 04-27-2005, 08:29 AM   #2
Registered: Jan 2005
Location: Sofia, Bulgaria
Distribution: Fedora Core 4 Rawhide
Posts: 431

Rep: Reputation: 30
maybe check with chkrootkit .. don't know I have also tripwire but guess never checked with it but anti-rootkit is good for a cron-job


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Possible Cracked.... Aeiri Linux - Security 4 02-22-2005 09:15 AM
Does this mean I have been cracked? BajaNick Linux - Security 4 08-13-2004 11:10 PM
i am cracked :-( adme Linux - Security 20 07-19-2003 01:37 PM
This just cracked me up! CragStar General 2 04-20-2002 12:13 AM
!!! THEMES.ORG gets cracked... rabidundead Linux - General 0 06-10-2001 04:03 AM

All times are GMT -5. The time now is 02:35 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration