[Snort-users] False alarm?

Sebastian Ip 9scki at ...2821...
Mon Oct 15 06:39:01 EDT 2001


I did they say look at google which is about as helpful as well certain brown 
substances. 

On Sunday 14 October 2001 09:09, you wrote:
> You might address this question to a more appropriate forum, such as the
> Incidents list at SecurityFocus. The address for the list is
> incidents at ...35..., and its home is www.securityfocus.com.
>
> roo
> aka. Benjamin Krueger
>
> ----- Original Message -----
> From: "Sebastian Ip" <9scki at ...2821...>
> To: <snort-users at lists.sourceforge.net>
> Sent: Monday, October 15, 2001 5:27 AM
> Subject: [Snort-users] False alarm?
>
> > Dear experienced security people
> >
> > I woke up today checked my personal linux firewall logs.. noticed that
>
> over
>
> > night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls
>
> has
>
> > been modified along with gunzip, gzip, zcat and cpio. All of them in
> > /bin.
> >
> > So i was like F***!! something's wrong.. But what can be wrong? I didn't
>
> do
>
> > nothing and my firewall blocks everything but sendmail, named and ssh.
>
> None
>
> > of those have any known problems for 7.1 that i haven't patched for. Ok
> > .. save the sendmail local root thing. But i don't have any local users!
> > just
>
> me
>
> > me me! The only problem i can see is that i opened my ftp for one of my
> > friends. But that was restricted to his ip only. And i don't know of any
>
> new
>
> > wu-ftp bug (yes yes i know but i don't usually host ftps).
> >
> > So anyhow i decided not to panic and reinstall from scratch because first
>
> of
>
> > all it's just odd that only ls and a few other file's been changed. Logs
> > shows nothing but those could have been changed. And i have a midterm
> > next week i have to study for.
> >
> > So i found my redhat 7.1 cds found the right rpm extracted the file ls
>
> from
>
> > that on my own workstation and md5sumed the copy on the firewall and the
>
> one
>
> > extracted from the rpm. The results came back the same. Which leaves me
>
> with
>
> > the question. Am i going to have to reinstall? Or is this just an example
>
> of
>
> > how tripwire can screw up royally at a very odd time?
> >
> > So eh if anyone wants to tell me what to do next drop me a line i'll be
> > eternaly grateful.
> >
> > Thanks
> >
> > Sebastian Ip
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list