LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   strange tripwire entries (https://www.linuxquestions.org/questions/linux-security-4/strange-tripwire-entries-380543/)

schentor 11-06-2005 02:34 PM
strange tripwire entries
 
I'm maintaining a Fedora Core 3 system that runs tripwire nightly. The tripwire entry from this morning showed that a number of system binaries had been modified:

Code:
Modified:
"/usr/sbin"
"/usr/sbin/accept"
"/usr/sbin/acpid"
"/usr/sbin/alternatives"
"/usr/sbin/amrecover"
"/usr/sbin/amrestore"
"/usr/sbin/anacron"
"/usr/sbin/apmd"
"/usr/sbin/authconfig"
"/usr/sbin/avcstat"
"/usr/sbin/bonobo-activation-sysconf"
"/usr/sbin/build-locale-archive"
"/usr/sbin/callback"
"/usr/sbin/capinfos"
"/usr/sbin/chkfontpath"
"/usr/sbin/chpasswd"
"/usr/sbin/chroot"
"/usr/sbin/convertquota"
"/usr/sbin/cpuspeed"
"/usr/sbin/cupsaddsmb"
"/usr/sbin/dbconverter-2"
"/usr/sbin/dftest"
"/usr/sbin/diskdumpctl_proc"
"/usr/sbin/diskdumpfmt"
"/usr/sbin/dmidecode"
"/usr/sbin/dongle_attach"
"/usr/sbin/dovecot"
"/usr/sbin/dump-acct"
"/usr/sbin/dump-utmp"
"/usr/sbin/editcap"
"/usr/sbin/edquota"
"/usr/sbin/execcap"
"/usr/sbin/exportfs"
"/usr/sbin/ext2online"
"/usr/sbin/fbset"
"/usr/sbin/filefrag"
"/usr/sbin/findchip"
"/usr/sbin/fstab-sync"
"/usr/sbin/gdmsetup"
"/usr/sbin/getenforce"
"/usr/sbin/getpcaps"
"/usr/sbin/getsebool"
"/usr/sbin/glibc_post_upgrade.i686"
"/usr/sbin/gpm"
"/usr/sbin/groupadd"
"/usr/sbin/groupdel"
"/usr/sbin/groupmod"
"/usr/sbin/grpck"
"/usr/sbin/grpconv"
"/usr/sbin/grpunconv"
"/usr/sbin/hal_lpadmin"
"/usr/sbin/hald"
"/usr/sbin/hardlink"
"/usr/sbin/hcidump"
"/usr/sbin/i2cdetect"
"/usr/sbin/i2cdump"
"/usr/sbin/i2cset"
"/usr/sbin/iconvconfig"
"/usr/sbin/iconvconfig.i686"
"/usr/sbin/imon"
"/usr/sbin/imontty"
"/usr/sbin/inputattach"
"/usr/sbin/iptstate"
"/usr/sbin/irattach"
"/usr/sbin/irdaping"
"/usr/sbin/isadump"
"/usr/sbin/isaset"
"/usr/sbin/kbdrate"
"/usr/sbin/kppp"
"/usr/sbin/kudzu"
"/usr/sbin/kuser"
"/usr/sbin/lchage"
"/usr/sbin/lgroupadd"
"/usr/sbin/lgroupdel"
"/usr/sbin/lgroupmod"
"/usr/sbin/lid"
"/usr/sbin/lircd"
"/usr/sbin/lircmd"
"/usr/sbin/lnewusers"
"/usr/sbin/load_policy"
"/usr/sbin/lockdev"
"/usr/sbin/logrotate"
"/usr/sbin/lokkit"
"/usr/sbin/longrun"
"/usr/sbin/lpadmin"
"/usr/sbin/lpasswd"
"/usr/sbin/lpc.cups"
"/usr/sbin/lpinfo"
"/usr/sbin/lpmove"
"/usr/sbin/lsof"
"/usr/sbin/luseradd"
"/usr/sbin/luserdel"
"/usr/sbin/lusermod"
"/usr/sbin/lvm"
"/usr/sbin/mergecap"
"/usr/sbin/mklost+found"
"/usr/sbin/mksock"
"/usr/sbin/mlock"
"/usr/sbin/module_upgrade"
"/usr/sbin/mtr"
"/usr/sbin/netconfig"
"/usr/sbin/newusers"
"/usr/sbin/nfsstat"
"/usr/sbin/nhfsstone"
"/usr/sbin/nscd"
"/usr/sbin/nstat"
"/usr/sbin/ntsysv"
"/usr/sbin/packer"
"/usr/sbin/plainrsa-gen"
"/usr/sbin/pmap_dump"
"/usr/sbin/pmap_set"
"/usr/sbin/postalias"
"/usr/sbin/postcat"
"/usr/sbin/postconf"
"/usr/sbin/postdrop"
"/usr/sbin/postkick"
"/usr/sbin/postlock"
"/usr/sbin/postlog"
"/usr/sbin/postmap"
"/usr/sbin/postqueue"
"/usr/sbin/postsuper"
"/usr/sbin/pppdump"
"/usr/sbin/pppstats"
"/usr/sbin/pwck"
"/usr/sbin/pwconv"
"/usr/sbin/pwunconv"
"/usr/sbin/quotastats"
"/usr/sbin/racoon"
"/usr/sbin/racoonctl"
"/usr/sbin/randpkt"
"/usr/sbin/rcapid"
"/usr/sbin/rdev"
"/usr/sbin/rdistd"
"/usr/sbin/readahead"
"/usr/sbin/readprofile"
"/usr/sbin/repquota"
"/usr/sbin/rpc.gssd"
"/usr/sbin/rpc.idmapd"
"/usr/sbin/rpc.svcgssd"
"/usr/sbin/rpcinfo"
"/usr/sbin/rtacct"
"/usr/sbin/rtstat"
"/usr/sbin/run_init"
"/usr/sbin/sa"
"/usr/sbin/saned"
"/usr/sbin/sasl2-shared-mechlist"
"/usr/sbin/sasl2-static-mechlist"
"/usr/sbin/saslauthd"
"/usr/sbin/saslauthd1-checkpass"
"/usr/sbin/sasldblistusers"
"/usr/sbin/sasldblistusers2"
"/usr/sbin/saslpasswd"
"/usr/sbin/saslpasswd2"
"/usr/sbin/savecore"
"/usr/sbin/security"
"/usr/sbin/selinuxenabled"
"/usr/sbin/sendmail.postfix"
"/usr/sbin/sestatus"
"/usr/sbin/setenforce"
"/usr/sbin/setfiles"
"/usr/sbin/setpcaps"
"/usr/sbin/setquota"
"/usr/sbin/setsebool"
"/usr/sbin/setup"
"/usr/sbin/showmount"
"/usr/sbin/smtp-sink"
"/usr/sbin/smtp-source"
"/usr/sbin/ss"
"/usr/sbin/sshd"
"/usr/sbin/stunnel"
"/usr/sbin/sucap"
"/usr/sbin/tcpdump"
"/usr/sbin/tcpslice"
"/usr/sbin/testsaslauthd"
"/usr/sbin/text2pcap"
"/usr/sbin/tmpwatch"
"/usr/sbin/togglesebool"
"/usr/sbin/tunelp"
"/usr/sbin/tux"
"/usr/sbin/tux2w3c"
"/usr/sbin/tuxstat"
"/usr/sbin/useradd"
"/usr/sbin/userdel"
"/usr/sbin/userhelper"
"/usr/sbin/usermod"
"/usr/sbin/utempter"
"/usr/sbin/vipw"
"/usr/sbin/warnquota"
"/usr/sbin/x86info"
"/usr/sbin/xfce4-kiosk-query"
"/usr/sbin/yppoll"
"/usr/sbin/ypset"
"/usr/sbin/yptest"
"/usr/sbin/zdump"
"/usr/sbin/zic"
I ran ls -l on some of them, and their modification dates are from months ago or last year. I also checked the RPMs that some of these binaries were originally from (rpm -qf and rpm -qi), and they were also installed months ago or last year. rpm -V doesn't give any results for the most part. This computer runs yum update nightly, but /var/log/yum.log doesn't show these binaries or their RPMs being updated. SSH logs haven't shown any funny logins. Only IP addresses belonging to the college where I work can log in via ssh, and ftp and telnet are not running. Any ideas on what could be causing tripwire to report changes in these binaries?

Thanks!
S. Chen

Capt_Caveman 11-06-2005 06:54 PM
What part of the tripwire check is failing, MD5sum, timestamps? Do the modification times on those binaries appear to approximately correspond with any of the yum updates?

schentor 11-06-2005 08:53 PM
The tripwire check is failing on the MD5 sums. The observed MD 5 sum differs from the expected, and the observed number of blocks for these binaries is also less than expected. The expected and observed modification timestamps and file sizes match. Most of the timestamps are from 2004. The log for the recent yum updates doesn't show anything about the RPMs for the binaries in question. A few days ago a new kernel was installed, but tripwire only started showing these changes in last night/this morning's run.

schentor 11-07-2005 12:53 PM
I just looked through the logs and installed chkrootkit... haven't come up with anything. Netstat doesn't show anything suspicious, and nmap from another machine didn't come up with any unusual ports open.

TruckStuff 11-07-2005 01:07 PM
Did /etc/prelink.cache change by chance too? It so, this is probably a bunch of new binaries that got prelinked.

Capt_Caveman 11-07-2005 01:51 PM
Exactly what I was thinking...might also want to try to undo prelinking on a few of the binaries with "prelink -au" and see if they come back clean.

schentor 11-16-2005 01:37 PM
Yes, the tripwire reports were due to prelinking. prelink.cache was being updated. After I changed /etc/sysconfig/prelink to set PRELINKING=no, the reports came back clean.


All times are GMT -5. The time now is 06:41 AM.