tripwire flagged files, am i hacked?
tripwire says some files in my /sbin directory changed, such as
/usr/sbin/luseradd
doing a 'rpm -qf /usr/sbin/luseradd', this is in package libuser-0.52.5-1.el4.1
looking on a different system, it also has
libuser-0.52.5-1.el4.1
now if i do an md5sum on /usr/sbin/luseradd at both systems, they do not have the same md5sum. if the packages are the same, shouldn't the md5sums also be the same?
'rpm -V libuser-0.52.5-1.el4.1' lists
.......T c /etc/libuser.conf
another one:
rpm -qf /usr/sbin/kudzu
kudzu-1.1.95.15-1
rpm -V kudzu-1.1.95.15-1
.M...... c /etc/rc.d/init.d/kudzu
both systems has kudzu-1.1.95.15-1, yet md5sum of /usr/sbin/kudzu differ
|