Smart People,

I'm still cutting my teeth on LInux and could use some help. I have Tripwire running on my Fedora box and I noticed some strange modifications after a recent integrity check. The files below had modifications to the inode number and write time, all between between 4am-5am this morning.

/usr/bin/newgrp
/usr/bin/newrole
/usr/bin/passwd
/usr/bin/screen
/usr/bin/xterm

Any idea where & how to start my investigation?

Thanks for any assistance you can provide!

- You can use rkhunter (http://freshmeat.net/projects/rkhunter/) and chkrootkit (http://www.chkrootkit.org/) to scan your machine against root-kits.
- You can check for any `new' and interesting ports that are listening.
- You can check for any `new' and interesting programs that are running.
- You can search for any strange commands in your shell history (if not deleted).
- You can look at the login logs or syslog messages.
- You can look at the /etc/passwd and /etc/group files for any newly created user accounts.
- You can try to reinstall these tools,.. and so on.

PS: Hackers don't attack you, crackers do. Please use the correct terms (RFC 1392)

Are you sure you haven't got an auto-update running eg yum, apt ?

I think you are right about the auto update. The day before I noticed the strange 4am changes, I did some updates with yum & synaptic. I noticed this morning (again between 4am-5am) that there were yet more changes flagged by Tripwire. Now I need to figure out how to disbale the auto update.

Thanks again, barisdemiray & chrism01!

You're probably better off leaving auto-update on and just making a note as to when it's supposed to be run. You can normally just check the logs for YUM to see if the flagged package was indeed updated. By turning off auto-update you're much more likely to forget to install a critical security patch and leave yourself vulnerable.