[Snort-users] False alarm?

Sebastian Ip 9scki at ...2821...
Mon Oct 15 05:27:03 EDT 2001


Dear experienced security people

I woke up today checked my personal linux firewall logs.. noticed that over 
night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls has 
been modified along with gunzip, gzip, zcat and cpio. All of them in /bin.

So i was like F***!! something's wrong.. But what can be wrong? I didn't do 
nothing and my firewall blocks everything but sendmail, named and ssh. None 
of those have any known problems for 7.1 that i haven't patched for. Ok .. 
save the sendmail local root thing. But i don't have any local users! just me 
me me! The only problem i can see is that i opened my ftp for one of my 
friends. But that was restricted to his ip only. And i don't know of any new 
wu-ftp bug (yes yes i know but i don't usually host ftps).

So anyhow i decided not to panic and reinstall from scratch because first of 
all it's just odd that only ls and a few other file's been changed. Logs 
shows nothing but those could have been changed. And i have a midterm next 
week i have to study for.

So i found my redhat 7.1 cds found the right rpm extracted the file ls from 
that on my own workstation and md5sumed the copy on the firewall and the one 
extracted from the rpm. The results came back the same. Which leaves me with 
the question. Am i going to have to reinstall? Or is this just an example of 
how tripwire can screw up royally at a very odd time?

So eh if anyone wants to tell me what to do next drop me a line i'll be 
eternaly grateful.

Thanks

Sebastian Ip




More information about the Snort-users mailing list