Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-06-2006, 11:48 AM
|
#1
|
|
Member
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40
Rep: 
|
TRIPWIRE: Why do system files' md5sums change?
Hello everyone! First let me say that this is a really cool forum, and thanks to Jeremy for all his hard work!
My question is related to TRIPWIRE:
I just set up a new Fedora Core 4 box to run as a webserver. It was put in place/connected to the internet to start serving web pages on March 4, 06. Before connecting it, I installed Tripwire and ran it to take the initial snapshot on March 2, 06.
Tripwire is scheduled to run with CRON and email the results to 'root'. When the Tripwire report was generated on March 3, BEFORE we connected the server to the internet, it reported that lots of system files had been "modified".
(The server had been connected behind a firewall simply for installation and update purposes, and was not being accessed by the outside world until we connected it in the afternoon of March 4.)
I have another box that is installed with the same Fedora Core 4 CD, and updated (using YUM) at the same time. If I do MD5SUMs of the same files on both boxes, I get different results. However, LS reports that the files on the two different boxes are the same size and have the same creation date.
I looked at yum.log and could see no indications that updates were run after March 2, and the last thing installed was Tripwire.
My question is this: WHY are the same files, such as /bin/ls, reporting different checksums on different machines installed with the same FC4 CD and updated using YUM at the same time?
Also, "md5sum /usr/bin/yum" generates the SAME checksum on both machines. (yum was NOT reported as modified by tripwire, but I did set up monitoring for this file.)
Do you think I have been hacked or have picked up a rootkit? As I say, this all happened while the system was running behind a firewall on a local network, with no firewall ports forwarded to the machine. It was just being configured and updated, but was not publicly accessible.
I'm sorry if this is really long and hard to understand. But I would greatly appreciate any help you can give!
For the sake of completeness, here's a Tripwire report (snipped) from Mar 3 at 4AM:
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Fri Mar 3 04:02:12 2006
Database last updated on: Never
===============================================================================
Report Summary:
===============================================================================
Host name: ##HOSTNAME##
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/###HOSTNAME###.twd
Command line used: /usr/sbin/tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
* User binaries 66 0 0 149
* Tripwire Binaries 100 0 0 4
Critical configuration files 100 0 0 0
* Libraries 66 0 0 38
* Operating System Utilities 100 0 0 6
Critical system boot files 100 0 0 0
* File System and Disk Administraton Programs
100 0 0 2
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
* System Administration Programs 100 0 0 1
* Hardware and Device Control Programs
100 0 0 1
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Related Programs 100 0 0 0
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Tripwire Data Files 100 0 0 0
* System boot changes 100 0 1 1
* OS executables and libraries 100 0 0 1
Security Control 100 0 0 0
Login Scripts 100 0 0 0
* Root config files 100 2 1 1
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Critical devices 100 0 0 0
Total objects scanned: 19499
Total violations found: 208
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/arpd"
"/usr/sbin/dbconverter-2"
"/usr/sbin/groupadd"
"/usr/sbin/groupdel"
"/usr/sbin/groupmod"
"/usr/sbin/imon"
"/usr/sbin/iptstate"
"/usr/sbin/lchage"
"/usr/sbin/lgroupadd"
"/usr/sbin/lgroupdel"
"/usr/sbin/lgroupmod"
"/usr/sbin/lnewusers"
"/usr/sbin/lpasswd"
"/usr/sbin/luseradd"
"/usr/sbin/luserdel"
"/usr/sbin/lusermod"
"/usr/sbin/lvm"
"/usr/sbin/mtr"
"/usr/sbin/rpc.idmapd"
"/usr/sbin/rpc.svcgssd"
"/usr/sbin/run_init"
"/usr/sbin/saslauthd"
"/usr/sbin/sasldblistusers2"
"/usr/sbin/saslpasswd"
"/usr/sbin/saslpasswd2"
"/usr/sbin/snort-plain"
"/usr/sbin/useradd"
"/usr/sbin/userdel"
"/usr/sbin/userhelper"
"/usr/sbin/usermod"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/siggen)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/siggen"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/tripwire"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twadmin)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/twadmin"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twprint)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/twprint"
-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/lib/autofs/autofs-ldap-auto-master"
"/usr/lib/lib-com-sun-javadoc.so.0.0.0"
"/usr/lib/lib-com-sun-tools-doclets-Taglet.so.0.0.0"
"/usr/lib/lib-gnu-classpath-tools-gjdoc.so.0.0.0"
"/usr/lib/libbeecrypt.so.6.4.0"
"/usr/lib/libgcj.so.6.0.0"
"/usr/lib/libgdk-x11-2.0.so.0.600.10"
"/usr/lib/libgij.so.6.0.0"
"/usr/lib/libglut.so.3.8.0"
"/usr/lib/libgtk-x11-2.0.so.0.600.10"
"/usr/lib/libpangoft2-1.0.so.0.800.1"
"/usr/lib/libpangoxft-1.0.so.0.800.1"
"/usr/lib/libpcap.so.0.8.3"
"/usr/lib/libpcreposix.so.0.0.0"
"/usr/lib/librpm-4.4.so"
"/usr/lib/librpmbuild-4.4.so"
"/usr/lib/librpmdb-4.4.so"
"/usr/lib/librpmio-4.4.so"
"/usr/lib/libsasl.so.7.1.11"
"/usr/lib/libtiff.so.3.7.1"
"/usr/lib/libwvstreams.so.3.75"
"/usr/lib/libwvutils.so.3.75"
"/usr/lib/rpm/rpmd"
"/usr/lib/rpm/rpmdb_archive"
"/usr/lib/rpm/rpmdb_checkpoint"
"/usr/lib/rpm/rpmdb_deadlock"
"/usr/lib/rpm/rpmdb_dump"
"/usr/lib/rpm/rpmdb_load"
"/usr/lib/rpm/rpmdb_printlog"
"/usr/lib/rpm/rpmdb_recover"
"/usr/lib/rpm/rpmdb_stat"
"/usr/lib/rpm/rpmdb_svc"
"/usr/lib/rpm/rpmdb_upgrade"
"/usr/lib/rpm/rpmdb_verify"
"/usr/lib/rpm/rpmfile"
"/usr/lib/rpm/rpmi"
"/usr/lib/rpm/rpmk"
"/usr/lib/rpm/rpmq"
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/bin/NetworkManager"
"/usr/bin/NetworkManagerDispatcher"
"/usr/bin/addftinfo"
"/usr/bin/afs5log"
"/usr/bin/ascii-xfr"
"/usr/bin/aspell"
"/usr/bin/bc"
"/usr/bin/bmp2tiff"
"/usr/bin/cal"
"/usr/bin/chage"
"/usr/bin/chfn"
"/usr/bin/chsh"
"/usr/bin/clear"
"/usr/bin/crontab"
"/usr/bin/diff"
"/usr/bin/dir"
"/usr/bin/eqn"
"/usr/bin/fax2ps"
"/usr/bin/fax2tiff"
"/usr/bin/fc-cache"
"/usr/bin/fc-list"
"/usr/bin/ftp"
"/usr/bin/gcj-dbtool"
"/usr/bin/gif2tiff"
"/usr/bin/gij"
"/usr/bin/gjdoc"
"/usr/bin/gpasswd"
"/usr/bin/grmic"
"/usr/bin/grmiregistry"
"/usr/bin/grn"
"/usr/bin/grodvi"
"/usr/bin/groff"
"/usr/bin/grolbp"
"/usr/bin/grolj4"
"/usr/bin/grops"
"/usr/bin/grotty"
"/usr/bin/gtk-demo"
"/usr/bin/gtk-query-immodules-2.0-32"
"/usr/bin/gtk-update-icon-cache"
"/usr/bin/hpftodit"
"/usr/bin/indxbib"
"/usr/bin/info"
"/usr/bin/infocmp"
"/usr/bin/infokey"
"/usr/bin/jv-convert"
"/usr/bin/lchfn"
"/usr/bin/lchsh"
"/usr/bin/less"
"/usr/bin/lftp"
"/usr/bin/lkbib"
"/usr/bin/lookbib"
"/usr/bin/minicom"
"/usr/bin/nano"
"/usr/bin/newrole"
"/usr/bin/nm-tool"
"/usr/bin/pal2rgb"
"/usr/bin/pango-querymodules-32"
"/usr/bin/passwd"
"/usr/bin/pcregrep"
"/usr/bin/pcretest"
"/usr/bin/pfbtops"
"/usr/bin/pic"
"/usr/bin/pinfo"
"/usr/bin/post-grohtml"
"/usr/bin/ppm2tiff"
"/usr/bin/pre-grohtml"
"/usr/bin/pstree"
"/usr/bin/pstree.x11"
"/usr/bin/ras2tiff"
"/usr/bin/raw2tiff"
"/usr/bin/refer"
"/usr/bin/rgb2ycbcr"
"/usr/bin/rpm2cpio"
"/usr/bin/runscript"
"/usr/bin/screen"
"/usr/bin/setterm"
"/usr/bin/shred"
"/usr/bin/slabtop"
"/usr/bin/soelim"
"/usr/bin/sqlite3"
"/usr/bin/statserial"
"/usr/bin/tack"
"/usr/bin/tail"
"/usr/bin/tbl"
"/usr/bin/tfmtodit"
"/usr/bin/thumbnail"
"/usr/bin/tic"
"/usr/bin/tiff2bw"
"/usr/bin/tiff2pdf"
"/usr/bin/tiff2ps"
"/usr/bin/tiff2rgba"
"/usr/bin/tiffcmp"
"/usr/bin/tiffcp"
"/usr/bin/tiffdither"
"/usr/bin/tiffdump"
"/usr/bin/tiffinfo"
"/usr/bin/tiffmedian"
"/usr/bin/tiffset"
"/usr/bin/tiffsplit"
"/usr/bin/toe"
"/usr/bin/top"
"/usr/bin/tput"
"/usr/bin/troff"
"/usr/bin/tset"
"/usr/bin/ul"
"/usr/bin/vbox"
"/usr/bin/vdir"
"/usr/bin/watch"
"/usr/bin/wget"
"/usr/bin/wvdial"
"/usr/bin/wvdialconf"
"/usr/bin/xmlcatalog"
"/usr/bin/xmllint"
-------------------------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/sbin/divaload"
"/sbin/divalog"
"/sbin/divalogd"
"/sbin/eiconctrl"
"/sbin/pam_timestamp_check"
"/sbin/partprobe"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/pam_console_apply)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/pam_console_apply"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/parted)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/parted"
-------------------------------------------------------------------------------
Rule Name: System Administration Programs (/sbin/pam_tally)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/pam_tally"
-------------------------------------------------------------------------------
Rule Name: Hardware and Device Control Programs (/sbin/hwclock)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/hwclock"
-------------------------------------------------------------------------------
Rule Name: System boot changes (/var/run)
Severity Level: 100
-------------------------------------------------------------------------------
Removed:
"/var/run/screen/S-###USERNAME###/3054.pts-0.###HOSTNAME###"
-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/lib/libpam_misc.so.0.79"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/date)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/date"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/grep)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/grep"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/login)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/login"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/ls)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/ls"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/rpm)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/rpm"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/sleep)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/sleep"
-------------------------------------------------------------------------------
Rule Name: System boot changes (/dev/tty1)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/dev/tty1"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/root/procshot.sh"
"/root/procshot.list"
Removed:
"/root/barnyard-0.2.0/docs/.INSTALL.swp"
Modified:
"/root/.lesshst"
--------------------------------------------------
KRASL
Last edited by krasl; 03-06-2006 at 12:11 PM.
|
|
|
|
|
03-06-2006, 06:55 PM
|
#2
|
|
Senior Member
Registered: Sep 2003
Posts: 3,171
Rep:
|
You say you updated your server; updates would certainly change files - which tripwire would catch. Different md5sums on different machines could reflect different hardware, and consequently different versions or different compile results for individual files.
|
|
|
|
|
03-06-2006, 07:03 PM
|
#3
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
If this was happening prior to connecting this box to the internet, have a look and see if prelink is installed and running. It modifies executables and libraries "so that far less relocations need to be resolved at runtime and thus programs come up faster" ( http://www.redhat.com/archives/fedor.../msg00082.html). You can control prelink's behaviour from (iirc) /etc/sysconfig/prelink and /etc/prelink.conf but I haven't done this for a while. |
|
|
|
|
03-06-2006, 11:55 PM
|
#4
|
|
Member
Registered: Nov 2005
Distribution: Fedora 4
Posts: 40
Original Poster
Rep:
|
Prelink seems to be the culprit
Thank you so much, gilead, for the information!
I checked, and a prelink script is in my /etc/cron.daily directory. It seems like this is what's making the change. Do I need to leave this alone, or should I disable the prelink program? Will it actually make a difference in performance to use prelink?
The system is an AMD Athlon X2 3800+ with 1G of RAM.
Thanks again for pointing out this information!
Krasl
|
|
|
|
All times are GMT -5. The time now is 05:26 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
