cracked or not cracked (tripwire & chrootkit)
I ran tripwire --init after I installed my FC3. After that I've made a lot of updates with synaptic , yup. Now I checked my system with tripwire --check. I am concerned about the output. Very sensitive files have been changed. I don't if they where replaced by yum or synaptic. I 've just update/remove/add daemons like httpd, named etc and not /sbin/adduser etc.
I don't know if I can trust this host again.
Here are some output from tripwire:
Modified object name: /usr/sbin/groupmod
Property: Expected Observed
------------- ----------- -----------
* Inode Number 672362 436533
* Size 25884 26000
* Modify Time Thu 21 Oct 2004 08:35:13 PM CEST
Sat 04 Dec 2004 02:59:45 AM CET
* Blocks 64 56
* CRC32 AnpqbV D8Vfdt
* MD5 AYpl9SQwEMxp+Vmd43r9LJ BQTDdEraBtrFNFP689S3Bc
Modified object name: /usr/sbin/lsof
Property: Expected Observed
------------- ----------- -----------
* Inode Number 435720 428789
* Size 107352 107320
* Modify Time Fri 30 Jul 2004 06:52:50 PM CEST
Wed 23 Mar 2005 01:19:25 PM CET
* Blocks 232 224
* CRC32 CVgyaD DQ739X
* MD5 D2v5xSbiRKN0a4J2JQDI0b DN/RjvvSHOBA1zs2JgC11n
There are a lot of such modifications.
I am also concerned about ttys.
Tripwire says:
Rule Name: System boot changes (/dev/tty5)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /dev/tty5
Property: Expected Observed
(all the tty from 1 to 5 were modified).
chkrootkit:
The tty of the following user process(es) were not found
in /var/run/utmp !
! RUID PID TTY CMD
! root 2791 tty1 /sbin/mingetty tty1
! root 2804 tty2 /sbin/mingetty tty2
! root 2806 tty3 /sbin/mingetty tty3
! root 2820 tty4 /sbin/mingetty tty4
! root 2833 tty5 /sbin/mingetty tty5
How are these ttys modified?
There is no suspect activity, unknown service or open ports etc.
What do you thing? How can I check further for a compromise??
|