[RH List] Re: Possible break-in
Ashley M. Kirchner
ashley at pcraft.com
Thu May 13 19:26:20 UTC 2004
Eric Wood wrote:
>Now, this doesn't have anything to do with the "prelink" routine that cron
>runs? Prelink changes file sizes and signitures but I don't know if it
>designed to hush up tripwire about these changes.
>
Woah... I just looked at /var/log/prelink.log, and every single
file flagged by tripwire is also listed in the log. You may be on to
something here, but then my question is, why now? The system's been up
and running for a while now (a month at least) and only now does it
start affecting them?
A preliminary test just done, shows that when I undo the prelink to
one of the changed binaries, it reverts back to the original file size.
Redoing the prelinking, and it goes back to the larger size. So maybe
that's the answer, it's prelink doing this, and tripwire flagging them
accordingly. So then the question still is: why now? Why not a week
ago, or a month ago?
--
W | I haven't lost my mind; it's backed up on tape somewhere.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:ashley at pcraft.com> . 303.442.6410 x130
IT Director / SysAdmin / WebSmith . 800.441.3873 x130
Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
More information about the redhat-list
mailing list