[Snort-users] False alarm?
9scki at ...2821...
Mon Oct 15 05:27:03 EDT 2001
Dear experienced security people
I woke up today checked my personal linux firewall logs.. noticed that over
night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls has
been modified along with gunzip, gzip, zcat and cpio. All of them in /bin.
So i was like F***!! something's wrong.. But what can be wrong? I didn't do
nothing and my firewall blocks everything but sendmail, named and ssh. None
of those have any known problems for 7.1 that i haven't patched for. Ok ..
save the sendmail local root thing. But i don't have any local users! just me
me me! The only problem i can see is that i opened my ftp for one of my
friends. But that was restricted to his ip only. And i don't know of any new
wu-ftp bug (yes yes i know but i don't usually host ftps).
So anyhow i decided not to panic and reinstall from scratch because first of
all it's just odd that only ls and a few other file's been changed. Logs
shows nothing but those could have been changed. And i have a midterm next
week i have to study for.
So i found my redhat 7.1 cds found the right rpm extracted the file ls from
that on my own workstation and md5sumed the copy on the firewall and the one
extracted from the rpm. The results came back the same. Which leaves me with
the question. Am i going to have to reinstall? Or is this just an example of
how tripwire can screw up royally at a very odd time?
So eh if anyone wants to tell me what to do next drop me a line i'll be
More information about the Snort-users