Wire tripped

[Bill Perkins]

Scot L. Harris wrote:
> On Wed, 2005-10-05 at 17:35, Bill Perkins wrote:
> 
>>After downloading and installing gnome-pkgview and gnome-common (which 
>>pkgview needed) tripwire started complaining about a whole bunch of 
>>files that had suddenly changed checksums, and in many cases, the sizes 
>>of the files as well, including tripwire itself. Did I just get zapped 
>>by something nasty, or does tripwire sometimes get a little confused?
> 
> 
> Where the files all part of gnome-common?  Did you update tripwire after
> you upgraded gnome-common? When did tripwire report a violation?  

No, very few of them were part of gnome-common

> Three possibilities.  One, tripwire ran at it's usual time and reported
> the changed files which you upgraded.

It did, with a whole bunch more.

> Two, if you updated tripwire after doing the upgraded prelink probably 
> ran later than night and modified the updated files you installed via
> gnome-common.  Tripwire then reported the differences.

Haven't upgraded tripwire since installing it. Looks like the tripwire 
rpm gets compromised as well, through yum (yum erase tripwire; yum 
install tripwire yields a different tripwire md5 each time. Very 
strange, different from the one on backup.)

> Third, if neither one or two are possibilities then you need to look at
> the particular files being reported.  You might have been hacked. 

There is a ton of files, most of which have nothing to do with 
gnome-common or gnome-pkgview, both of which were installed just prior 
to this. I also added the livna repo (per instructions from some yum 
FAQ) just prior to this.

-- 
-------------------------------------------------------------------------------
"The two most common things in the	| Bill Perkins
  universe are Hydrogen and Stupidity."	| perk at iag.net
					| programmer-at-large
		F. Zappa		| ALL assembly languages done here.
-------------------------------------------------------------------------------