strange tripwire entries
I'm maintaining a Fedora Core 3 system that runs tripwire nightly. The tripwire entry from this morning showed that a number of system binaries had been modified:
Code:
Modified: Thanks! S. Chen |
What part of the tripwire check is failing, MD5sum, timestamps? Do the modification times on those binaries appear to approximately correspond with any of the yum updates?
|
The tripwire check is failing on the MD5 sums. The observed MD 5 sum differs from the expected, and the observed number of blocks for these binaries is also less than expected. The expected and observed modification timestamps and file sizes match. Most of the timestamps are from 2004. The log for the recent yum updates doesn't show anything about the RPMs for the binaries in question. A few days ago a new kernel was installed, but tripwire only started showing these changes in last night/this morning's run.
|
I just looked through the logs and installed chkrootkit... haven't come up with anything. Netstat doesn't show anything suspicious, and nmap from another machine didn't come up with any unusual ports open.
|
Did /etc/prelink.cache change by chance too? It so, this is probably a bunch of new binaries that got prelinked.
|
Exactly what I was thinking...might also want to try to undo prelinking on a few of the binaries with "prelink -au" and see if they come back clean.
|
Yes, the tripwire reports were due to prelinking. prelink.cache was being updated. After I changed /etc/sysconfig/prelink to set PRELINKING=no, the reports came back clean.
|
All times are GMT -5. The time now is 06:41 AM. |