LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-26-2007, 02:26 AM   #1
txm123
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Rep: Reputation: 15
/usr/bin ->all files changed


Hello,

I got 4 mails from logwatch couple of minutes ago they contain 4 pages of this

Received From: ns1->syscheck
Rule: 550 fired (level 7) -> "Integrity checksum changed."
Portion of the log(s):

Integrity checksum changed for: '/usr/bin/bmp2tiff'
Old md5sum was: '02ae38e1c90ac4cfea62616d11d33609'
New md5sum is : '6045b8cac3f2667fcc9e6f51594d5f6b'
Old sha1sum was: '07f8f7079305c2339578b101a57109df62fbc1d9'
New sha1sum is : '9194a43dfd2476e3fb8227052ca869598e9966fd'


I ran rkhunter & chrootkit and nothing came up. I was wondering if there is a yum update cron somewhere that I don't know about am I hacked. The only services running on this server is sendmail, ssh, and rtorrent. %99.999 of the ports are blocked.
 
Old 07-26-2007, 04:33 AM   #2
ilikejam
Senior Member
 
Registered: Aug 2003
Location: Glasgow
Distribution: Fedora / Solaris
Posts: 3,109

Rep: Reputation: 96
Hi.

There is a yum service which runs yum on a daily basis. Try 'chkconfig --list | grep yum' to see if it's switched on (or even installed).

Dave
 
Old 07-26-2007, 04:34 AM   #3
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
If new software was (legitimately) installed, your RPM database should reflect this. In the example you cite, you could check the date the package was installed by

Code:
rpm -qi -f /usr/bin/bmp2tiff
If the instal date is quite recent, then you need to check further to see if an automatic update happened. (I would think it would be logged somewhere.) If the install date is old then it sounds like something fishy is going on.

You can also check files properties (date, md5, etc) against the RPM database by

Code:
rpm --verify -f /usr/bin/bmp2tiff
Again, a match would simply mean you need to check further to make sure that a recent change was legitimate.
 
Old 07-26-2007, 07:35 AM   #4
txm123
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
chkconfig --list | grep yum shows
Code:
yum             0:off   1:off   2:off   3:on    4:off   5:off   6:off
I have no idea what this means.

Also rpm -qi -f /usr/bin/bmp2tiff shows that these files are modified 15 days ago(first day of server)

rpm --verify -f /usr/bin/bmp2tiff

returns nothing

Last edited by txm123; 07-26-2007 at 08:32 AM.
 
Old 07-26-2007, 09:34 PM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
chkconfig shows the yum service is enabled on run level 3. (You can check which run level you are in by typing the runlevel command. The second field is your current run level.)

The data for the files you checked are consistent with the RPM database. (No output means everything matched.) My logic may have been wrong about the install date -- that might be the original install date and not when it was last updated.

See if you have a /var/log/yum.log file. If so, see if it shows this and other packages recently updated. If so, then I don't think you have anything to worry about.
 
Old 07-27-2007, 01:34 AM   #6
txm123
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
thanks for the help

/var/log/yum.log show no updates for the past 15 days
 
Old 07-27-2007, 07:03 AM   #7
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by txm123
/var/log/yum.log show no updates for the past 15 days
That doesn't sound good to me. Maybe I just told you the wrong place to look. Hopefully somebody with more experience will view this thread and shed some light on this.

It would be a good idea to post what distro you are using.
 
Old 07-27-2007, 07:25 AM   #8
txm123
LQ Newbie
 
Registered: Nov 2004
Posts: 28

Original Poster
Rep: Reputation: 15
blackhole54 thank you very much for your help

I'm using fedora core 5
 
Old 07-28-2007, 04:23 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,988
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Could it have been something like a prelinking run?
 
  


Reply

Tags
logging, yum update


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
making files available in /usr/local/bin and /usr/sbin reakinator Linux - Newbie 1 10-14-2006 05:09 PM
can't see sox files in /usr/bin tulipsonmars Linux - Software 0 07-26-2006 11:06 AM
Delete repeat files in /usr/bin? rickronn Fedora 3 04-02-2006 11:53 PM
Installing .bin-files, leave the file in /usr/local/bin/ ? lagu2653 Linux - Software 1 11-08-2005 08:30 PM
path in services wrong for clamav updated frm 0.75 to 0.80 usr/bin vs usr/local/bin Emmanuel_uk Linux - Newbie 3 04-22-2005 01:02 AM


All times are GMT -5. The time now is 09:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration