Strange tripwire behaviour
Scot L. Harris
webid at cfl.rr.com
Wed Mar 30 13:18:02 UTC 2005
On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> Hi All,
>
> I run tripwire each night on all my servers to check for file changes.
> This morning I noticed something strange. On this server tripwire was
> installed on 26th Nov last.
>
> [root at keano ~]# rpm -qa --last | grep tripwire
> tripwire-2.3.1-18.fdr.3.1 Fri Nov 26 13:31:50 2004
>
> Now for some reason when it was run last night the following changes had
> occured to the tripwire executable. Changes to the Inode Number, the
> block count, the CRC32 and MD5 checksums.
>
>
> Modified object name: /usr/sbin/tripwire
> Now a similar change occured on all 20 of my servers last night so I don't
> think it was a compromise. At least I hope not.
>
> Any ideas.
Most likely prelink ran and modified the binaries. First time I had
tripwire reported like this I was in a mild panic thinking the worse.
But it turned out to be prelink doing its thing via the cron job.
--
Scot L. Harris
webid at cfl.rr.com
The most disagreeable thing that your worst enemy says to your face does
not approach what your best friends say behind your back.
-- Alfred De Musset
More information about the fedora-list
mailing list