LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-11-2006, 05:02 PM   #1
hank43
Member
 
Registered: Nov 2003
Distribution: centos 4.4
Posts: 94

Rep: Reputation: 15
tripwire flagged files, am i hacked?


tripwire says some files in my /sbin directory changed, such as
/usr/sbin/luseradd

doing a 'rpm -qf /usr/sbin/luseradd', this is in package libuser-0.52.5-1.el4.1

looking on a different system, it also has
libuser-0.52.5-1.el4.1

now if i do an md5sum on /usr/sbin/luseradd at both systems, they do not have the same md5sum. if the packages are the same, shouldn't the md5sums also be the same?

'rpm -V libuser-0.52.5-1.el4.1' lists
.......T c /etc/libuser.conf


another one:
rpm -qf /usr/sbin/kudzu
kudzu-1.1.95.15-1

rpm -V kudzu-1.1.95.15-1
.M...... c /etc/rc.d/init.d/kudzu

both systems has kudzu-1.1.95.15-1, yet md5sum of /usr/sbin/kudzu differ
 
Old 11-11-2006, 06:03 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
if the packages are the same, shouldn't the md5sums also be the same?
Could be it has to do with prelinking.
 
Old 11-11-2006, 06:13 PM   #3
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
Reinstall those packages from the original CDs or downloaded RPMs? Compare the before & after md5 sums.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
thunderbird - hide messages flagged for delete true_atlantis Linux - Software 0 05-24-2006 11:56 AM
TRIPWIRE: Why do system files' md5sums change? krasl Linux - Security 3 03-06-2006 11:55 PM
Up2date packages flagged to be skipped 60s TV Batman Fedora 2 04-04-2005 01:54 AM
recursive checking and log files (tripwire) wedgeworth Linux - Security 2 05-28-2004 12:20 PM
tripwire reports /usr/sbin/tripwire changed alfaalfabeta Linux - Security 5 07-22-2003 05:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration