Strange tripwire behaviour

[Scot L. Harris]

On Wed, 2005-03-30 at 08:31, Tony Molloy wrote:
> On Wednesday 30 March 2005 14:18, Scot L. Harris wrote:
> > On Wed, 2005-03-30 at 04:55, Tony Molloy wrote:
> > 
> > > Modified object name:  /usr/sbin/tripwire
> > >
> > > Now a similar change occured on all 20 of my servers last night so I
> > > don't think it was a compromise. At least I hope not.
> > >
> > > Any ideas.
> >
> > Most likely prelink ran and modified the binaries.  First time I had
> > tripwire reported like this I was in a mild panic thinking the worse.
> > But it turned out to be prelink doing its thing via the cron job.
> >
> 
> Scott, 
> 
> Thank's I hadn't thought of that. As you said I was in a mild panic first 
> but then said a hacker couldn't have got at all the servers which are on 
> different vlans. Funny that it never happened before though.
> 
> Tony

I saw this when I first installed tripwire on the systems.  After doing
the work to get the policy cleaned up and generate a clean database run
then next day I saw this happen as prelink runs each night if the
default cron job is left in place.  

If these were long running installations of tripwire then you need to
look closer, I would expect the prelink issue to show up by the next day
after installation, not weeks or months down the road.

You should run the rpm verify option to check the tripwire binaries if
they were installed from rpm.  rpm is prelink aware and will confirm if
the binary has been changed or not by something other than prelink.

And don't discount a hacker moving very quickly through a network.  If
they found an exploit that let them in on one system and all your
systems are identical then they are all vulnerable.  Don't panic yet
though, try to verify that it was prelink that did this.  

-- 
Scot L. Harris
webid at cfl.rr.com

You will probably marry after a very brief courtship.