LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-06-2005, 03:34 PM   #1
schentor
Member
 
Registered: Jul 2005
Distribution: RHEL, Mint, Ubuntu
Posts: 32

Rep: Reputation: 15
strange tripwire entries


I'm maintaining a Fedora Core 3 system that runs tripwire nightly. The tripwire entry from this morning showed that a number of system binaries had been modified:

Code:
Modified:
"/usr/sbin"
"/usr/sbin/accept"
"/usr/sbin/acpid"
"/usr/sbin/alternatives"
"/usr/sbin/amrecover"
"/usr/sbin/amrestore"
"/usr/sbin/anacron"
"/usr/sbin/apmd"
"/usr/sbin/authconfig"
"/usr/sbin/avcstat"
"/usr/sbin/bonobo-activation-sysconf"
"/usr/sbin/build-locale-archive"
"/usr/sbin/callback"
"/usr/sbin/capinfos"
"/usr/sbin/chkfontpath"
"/usr/sbin/chpasswd"
"/usr/sbin/chroot"
"/usr/sbin/convertquota"
"/usr/sbin/cpuspeed"
"/usr/sbin/cupsaddsmb"
"/usr/sbin/dbconverter-2"
"/usr/sbin/dftest"
"/usr/sbin/diskdumpctl_proc"
"/usr/sbin/diskdumpfmt"
"/usr/sbin/dmidecode"
"/usr/sbin/dongle_attach"
"/usr/sbin/dovecot"
"/usr/sbin/dump-acct"
"/usr/sbin/dump-utmp"
"/usr/sbin/editcap"
"/usr/sbin/edquota"
"/usr/sbin/execcap"
"/usr/sbin/exportfs"
"/usr/sbin/ext2online"
"/usr/sbin/fbset"
"/usr/sbin/filefrag"
"/usr/sbin/findchip"
"/usr/sbin/fstab-sync"
"/usr/sbin/gdmsetup"
"/usr/sbin/getenforce"
"/usr/sbin/getpcaps"
"/usr/sbin/getsebool"
"/usr/sbin/glibc_post_upgrade.i686"
"/usr/sbin/gpm"
"/usr/sbin/groupadd"
"/usr/sbin/groupdel"
"/usr/sbin/groupmod"
"/usr/sbin/grpck"
"/usr/sbin/grpconv"
"/usr/sbin/grpunconv"
"/usr/sbin/hal_lpadmin"
"/usr/sbin/hald"
"/usr/sbin/hardlink"
"/usr/sbin/hcidump"
"/usr/sbin/i2cdetect"
"/usr/sbin/i2cdump"
"/usr/sbin/i2cset"
"/usr/sbin/iconvconfig"
"/usr/sbin/iconvconfig.i686"
"/usr/sbin/imon"
"/usr/sbin/imontty"
"/usr/sbin/inputattach"
"/usr/sbin/iptstate"
"/usr/sbin/irattach"
"/usr/sbin/irdaping"
"/usr/sbin/isadump"
"/usr/sbin/isaset"
"/usr/sbin/kbdrate"
"/usr/sbin/kppp"
"/usr/sbin/kudzu"
"/usr/sbin/kuser"
"/usr/sbin/lchage"
"/usr/sbin/lgroupadd"
"/usr/sbin/lgroupdel"
"/usr/sbin/lgroupmod"
"/usr/sbin/lid"
"/usr/sbin/lircd"
"/usr/sbin/lircmd"
"/usr/sbin/lnewusers"
"/usr/sbin/load_policy"
"/usr/sbin/lockdev"
"/usr/sbin/logrotate"
"/usr/sbin/lokkit"
"/usr/sbin/longrun"
"/usr/sbin/lpadmin"
"/usr/sbin/lpasswd"
"/usr/sbin/lpc.cups"
"/usr/sbin/lpinfo"
"/usr/sbin/lpmove"
"/usr/sbin/lsof"
"/usr/sbin/luseradd"
"/usr/sbin/luserdel"
"/usr/sbin/lusermod"
"/usr/sbin/lvm"
"/usr/sbin/mergecap"
"/usr/sbin/mklost+found"
"/usr/sbin/mksock"
"/usr/sbin/mlock"
"/usr/sbin/module_upgrade"
"/usr/sbin/mtr"
"/usr/sbin/netconfig"
"/usr/sbin/newusers"
"/usr/sbin/nfsstat"
"/usr/sbin/nhfsstone"
"/usr/sbin/nscd"
"/usr/sbin/nstat"
"/usr/sbin/ntsysv"
"/usr/sbin/packer"
"/usr/sbin/plainrsa-gen"
"/usr/sbin/pmap_dump"
"/usr/sbin/pmap_set"
"/usr/sbin/postalias"
"/usr/sbin/postcat"
"/usr/sbin/postconf"
"/usr/sbin/postdrop"
"/usr/sbin/postkick"
"/usr/sbin/postlock"
"/usr/sbin/postlog"
"/usr/sbin/postmap"
"/usr/sbin/postqueue"
"/usr/sbin/postsuper"
"/usr/sbin/pppdump"
"/usr/sbin/pppstats"
"/usr/sbin/pwck"
"/usr/sbin/pwconv"
"/usr/sbin/pwunconv"
"/usr/sbin/quotastats"
"/usr/sbin/racoon"
"/usr/sbin/racoonctl"
"/usr/sbin/randpkt"
"/usr/sbin/rcapid"
"/usr/sbin/rdev"
"/usr/sbin/rdistd"
"/usr/sbin/readahead"
"/usr/sbin/readprofile"
"/usr/sbin/repquota"
"/usr/sbin/rpc.gssd"
"/usr/sbin/rpc.idmapd"
"/usr/sbin/rpc.svcgssd"
"/usr/sbin/rpcinfo"
"/usr/sbin/rtacct"
"/usr/sbin/rtstat"
"/usr/sbin/run_init"
"/usr/sbin/sa"
"/usr/sbin/saned"
"/usr/sbin/sasl2-shared-mechlist"
"/usr/sbin/sasl2-static-mechlist"
"/usr/sbin/saslauthd"
"/usr/sbin/saslauthd1-checkpass"
"/usr/sbin/sasldblistusers"
"/usr/sbin/sasldblistusers2"
"/usr/sbin/saslpasswd"
"/usr/sbin/saslpasswd2"
"/usr/sbin/savecore"
"/usr/sbin/security"
"/usr/sbin/selinuxenabled"
"/usr/sbin/sendmail.postfix"
"/usr/sbin/sestatus"
"/usr/sbin/setenforce"
"/usr/sbin/setfiles"
"/usr/sbin/setpcaps"
"/usr/sbin/setquota"
"/usr/sbin/setsebool"
"/usr/sbin/setup"
"/usr/sbin/showmount"
"/usr/sbin/smtp-sink"
"/usr/sbin/smtp-source"
"/usr/sbin/ss"
"/usr/sbin/sshd"
"/usr/sbin/stunnel"
"/usr/sbin/sucap"
"/usr/sbin/tcpdump"
"/usr/sbin/tcpslice"
"/usr/sbin/testsaslauthd"
"/usr/sbin/text2pcap"
"/usr/sbin/tmpwatch"
"/usr/sbin/togglesebool"
"/usr/sbin/tunelp"
"/usr/sbin/tux"
"/usr/sbin/tux2w3c"
"/usr/sbin/tuxstat"
"/usr/sbin/useradd"
"/usr/sbin/userdel"
"/usr/sbin/userhelper"
"/usr/sbin/usermod"
"/usr/sbin/utempter"
"/usr/sbin/vipw"
"/usr/sbin/warnquota"
"/usr/sbin/x86info"
"/usr/sbin/xfce4-kiosk-query"
"/usr/sbin/yppoll"
"/usr/sbin/ypset"
"/usr/sbin/yptest"
"/usr/sbin/zdump"
"/usr/sbin/zic"
I ran ls -l on some of them, and their modification dates are from months ago or last year. I also checked the RPMs that some of these binaries were originally from (rpm -qf and rpm -qi), and they were also installed months ago or last year. rpm -V doesn't give any results for the most part. This computer runs yum update nightly, but /var/log/yum.log doesn't show these binaries or their RPMs being updated. SSH logs haven't shown any funny logins. Only IP addresses belonging to the college where I work can log in via ssh, and ftp and telnet are not running. Any ideas on what could be causing tripwire to report changes in these binaries?

Thanks!
S. Chen
 
Old 11-06-2005, 07:54 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
What part of the tripwire check is failing, MD5sum, timestamps? Do the modification times on those binaries appear to approximately correspond with any of the yum updates?
 
Old 11-06-2005, 09:53 PM   #3
schentor
Member
 
Registered: Jul 2005
Distribution: RHEL, Mint, Ubuntu
Posts: 32

Original Poster
Rep: Reputation: 15
The tripwire check is failing on the MD5 sums. The observed MD 5 sum differs from the expected, and the observed number of blocks for these binaries is also less than expected. The expected and observed modification timestamps and file sizes match. Most of the timestamps are from 2004. The log for the recent yum updates doesn't show anything about the RPMs for the binaries in question. A few days ago a new kernel was installed, but tripwire only started showing these changes in last night/this morning's run.
 
Old 11-07-2005, 01:53 PM   #4
schentor
Member
 
Registered: Jul 2005
Distribution: RHEL, Mint, Ubuntu
Posts: 32

Original Poster
Rep: Reputation: 15
I just looked through the logs and installed chkrootkit... haven't come up with anything. Netstat doesn't show anything suspicious, and nmap from another machine didn't come up with any unusual ports open.
 
Old 11-07-2005, 02:07 PM   #5
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Did /etc/prelink.cache change by chance too? It so, this is probably a bunch of new binaries that got prelinked.
 
Old 11-07-2005, 02:51 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Exactly what I was thinking...might also want to try to undo prelinking on a few of the binaries with "prelink -au" and see if they come back clean.
 
Old 11-16-2005, 02:37 PM   #7
schentor
Member
 
Registered: Jul 2005
Distribution: RHEL, Mint, Ubuntu
Posts: 32

Original Poster
Rep: Reputation: 15
Yes, the tripwire reports were due to prelinking. prelink.cache was being updated. After I changed /etc/sysconfig/prelink to set PRELINKING=no, the reports came back clean.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Sound Issues with XMMS/ mpg123 strange (strange noises) thegreatbob Linux - Software 0 06-25-2004 04:18 PM
Strange System Log entries DigiDave Linux - Newbie 5 03-22-2004 02:14 PM
Strange problem (Unmatched Entries) 2HostMe Linux - Newbie 2 01-10-2004 09:32 AM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 06:52 PM
Strange log entries. forand Linux - Security 7 03-25-2003 04:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration