Hackers are unstoppable!
Scot L. Harris
webid at cfl.rr.com
Sun Aug 28 22:15:09 UTC 2005
On Sun, 2005-08-28 at 17:43, Webmaster wrote:
> We have not been able to determine how a hacker was eble to crack one of
> our hosts
> and deposit binaries on all the hosts in our network (all hosts are FC3).
>
> A tripwire report shows the following binaries as being modified. We
> think this is part
> of "ethereal," an IP packet sniffer. Because so many files have been
> modifed (these are just
> the ones in /usr/bin), we decided to wipe the system and install FC4.
> chkrootkit.0.45 sometimes
> reports that an LKM trojan has been installed, but it does not report a
> problem each time it is
> invoked.
Could you be seeing a problem with prelink? I don't believe tripwire is
prelink aware, as such it would report differences if you ran tripwire
prior to prelink doing it's thing. If that is the case then you
probably did not have a security event. I suspect this because of the
files you listed. Probably no reason for a hacker to modify files that
are used to convert various file types to/from pbm format. Where there
any changes to configuration files or just binary executables?
chkrootkit has a problem with false positives at times similar to what
you mentioned.
More information about the fedora-list
mailing list