LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-14-2004, 10:09 AM   #1
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Rep: Reputation: 15
Snort and rkhunter


Is there any posibilitie that snort changes the grep, egrep and fgreps binaries??
Yesterday i have installed snort with default conf and today, when I ran rkhunter, the three appears as modified.
Those are the only binaries that appears to be modified.
In the other hands, the only suspicious in the logs are the automated ssh login attempts.
I will copy those files from another machine, but first i will like to hear your opinions.

Thanks.
 
Old 11-16-2004, 12:15 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No. I actually just tested this just to be sure (I was putting Snort on a test system). It shouldn't change the MD5sums on any of them. Did RKHunter tell you what failed (maybe something other than md5sum)? If you're using an rpm-based system try using the following to verify package integrity:

rpm -V grep

If not, try comparing it's md5sum to a known good version.
 
Old 11-25-2004, 06:10 AM   #3
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Original Poster
Rep: Reputation: 15
That's the error rkhunter displays:

/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/bin/egrep [ BAD ]

May be is something silly, but, i'm in doubt.

Thanks.
 
Old 11-25-2004, 01:43 PM   #4
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
strange.

ldd /bin/egrep

any weird stuff their?

you should see libc and ld-linux
 
Old 11-26-2004, 06:18 AM   #5
lord_zoo
Member
 
Registered: Sep 2003
Location: Buenos Aires - Argentina
Posts: 30

Original Poster
Rep: Reputation: 15
ldd /bin/egrep
libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x00acf000)
libc.so.6 => /lib/tls/libc.so.6 (0x00191000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x00178000)

That's what it displays. libc and ld-linux are there, i don't know if libpcre must be there. But I assume it must be there, since is the perl compatible regex library.

I Don't see anything strange. That's weird.
 
Old 11-28-2004, 08:07 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,279
Blog Entries: 54

Rep: Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852Reputation: 2852
when I ran rkhunter, the three appears as modified.
Those are the only binaries that appears to be modified.

Rkhunter ships with static md5sum lists and should not be used as the most important or even single point of authority when it comes to verifying sums. Running a filesystem checker like Aide or Samhain is a better option. if you save their databases on readonly media, just after you installed your OS, it's even better than verifying against your OSes package manager databases.


In the other hands, the only suspicious in the logs are the automated ssh login attempts.
Good thing you verified your logs. Should be one of the first things on one's mind on a networked box.


/usr/sbin/prelink: /bin/egrep: at least one of file's dependencies has changed since prelinking
/bin/egrep [ BAD ]

It's in the Rkhunter FAQ under "Errors from external software": E1: run /etc/cron.daily/prelink.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
rkhunter atlaika Linux - Security 7 11-29-2005 10:47 AM
rkhunter cronjob simcox1 Linux - Security 11 11-21-2005 08:25 AM
Help with Rkhunter findings............................ M$ISBS Linux - Security 13 08-01-2005 07:28 PM
rkhunter found the following monroetech Linux - Security 3 12-20-2004 08:51 PM
rkhunter phatbastard Linux - Security 3 12-08-2004 09:44 PM


All times are GMT -5. The time now is 05:15 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration