Re: Tripwire output on Solaris 2.7

From: Neil Dickey (neil@geol.niu.edu)
Date: 10/11/01 

Message-Id: <200110111906.OAA28871@shiloh.geol.niu.edu>
Date: Thu, 11 Oct 2001 14:06:28 -0500 (CDT)
From: Neil Dickey <neil@geol.niu.edu>
Subject: Re: Tripwire output on Solaris 2.7
To: focus-sun@securityfocus.com

"Simon Crowther" <SCrowthe@msxi-euro.com> wrote asking:

>I have just run Tripwire on one of my servers,
>the out put is as follows.... is this suspect? if so what do
>I look at next to investigate further?

It would help to know what "normal" on this machine looks like,
or, rather, what it is about this output that is different from
what you normally see when you run Tripwire. There are some
entries in your log which resemble changes that occur during a
reboot, for instance. Did you reboot the machine before you ran
tripwire? When was the last time it was rebooted?

Other entries I do not recognize from my own experience, but may
still be normal for your system.

I am particularly concerned regarding the final entry, which
indicates that the Tripwire signature database has been changed.
Did you update the database yourself, or is this an intruder
trying to cover his tracks? It would also be interesting to
know what has changed in /etc/rc2.d/S73aroutes, because it will
affect the way your machine boots.

Good practice with Tripwire includes maintaining current copies
of the database files on read-only media, or completely off the
system, so as to be inaccessible to the BadGuys(TM) should they
get in. Do you have such copies? If so, then put them in
service and see what Tripwire tells you. Be sure to save copies
of the suspect database files for reference purposes.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

>#########################################################
>
>### Phase 5: Generating observed/expected pairs for changed files
>###
>### Attr Observed (what it is) Expected (what it should be)
>### =========== ============================= =============================
>/etc
> st_mtime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
> st_ctime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
>
>/etc/cron.d
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
>
>/etc/cron.d/FIFO
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
>
>/etc/rc2.d/S73aroutes
> st_size: 1258 1260
> st_mtime: Fri Sep 28 08:58:02 2001 Mon Aug 13 17:18:20 2001
> st_ctime: Fri Sep 28 08:58:02 2001 Mon Aug 13 17:18:20 2001
> md5 (sig1): 1fIqX3r52usjqGURG8P9tE 2PnaPyolt7WUdMOjQEFxVU
> snefru (sig2): 1cbNnVGwySm2vceygVLott 3BBNQ0kWETGePMmH56INSE
>
>/etc/security/audit_data
> st_mtime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> st_ctime: Tue Sep 18 18:28:11 2001 Fri Aug 10 20:39:54 2001
> md5 (sig1): 1TNTwId4rliPQsDmYYft6a 1026:.0glAHKTNBJ7eDLwy
> snefru (sig2): 1PaWLvvhbAZ1p7rzkHrMPo 2WLFJE5gGfFH2BsWif.A.U
>
>/etc/mnttab
> st_size: 402 395
> st_mtime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> st_ctime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> md5 (sig1): 0XfdN5:ZqwlNpNiKuCqpCl 1f8cRP:ln0Zv8p2X2mxPgj
> snefru (sig2): 3wNWpM6csYNE5w5cZNqS:b 3H8z3cIM5UJNYmkRaWmxWl
>
>/etc/utmppipe
> st_mtime: Thu Oct 11 11:49:12 2001 Wed Aug 29 10:34:41 2001
> st_ctime: Thu Oct 11 11:49:12 2001 Wed Aug 29 10:34:41 2001
>
>/etc/coreadm.conf
> st_mtime: Tue Sep 18 18:28:04 2001 Fri Aug 10 20:39:46 2001
> st_ctime: Tue Sep 18 18:28:04 2001 Fri Aug 10 20:39:46 2001
>
>/etc/syslog.pid
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> md5 (sig1): 0MjmvegjqY5G3nG3iz9EdU 2GbPRiRCVRYt3nHH:mQpWQ
> snefru (sig2): 1Wf3fbOtyqtghckd91UVEa 3GvW.JCudTpN2HGBnL3l5v
>
>/etc/initpipe
> st_mtime: Thu Oct 11 11:49:12 2001 Wed Aug 29 10:34:09 2001
> st_ctime: Thu Oct 11 11:49:12 2001 Wed Aug 29 10:34:09 2001
>
>/etc/.mnttab.lock
> st_mtime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
> st_ctime: Tue Sep 18 18:28:06 2001 Fri Aug 10 20:39:49 2001
>
>/etc/.pwd.lock
> st_mtime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
> st_ctime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
>
>/etc/dumpadm.conf
> st_mtime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
> st_ctime: Tue Sep 18 18:28:10 2001 Fri Aug 10 20:39:53 2001
>
>/etc/oshadow
> st_size: 534 520
> st_mtime: Wed Oct 10 13:35:01 2001 Wed Aug 15 14:38:36 2001
> st_ctime: Wed Oct 10 13:35:15 2001 Wed Aug 15 14:38:43 2001
> md5 (sig1): 0lVZggzEqTj7b2BD5ughpZ 0B9enMiVM.ar4kNcKeKg8D
> snefru (sig2): 0GEZk65og:VoBPy1LyejA5 1m2ibqQFeYiTueaMKEBA8L
>
>/usr/sbin
> st_mtime: Tue Sep 18 18:28:08 2001 Fri Aug 10 20:39:50 2001
> st_ctime: Tue Sep 18 18:28:08 2001 Fri Aug 10 20:39:50 2001
>
>/usr/sbin/ndd
> st_ctime: Tue Sep 18 18:28:08 2001 Fri Aug 10 20:39:50 2001
>
>/tmp
> st_ino: 234903201 234899105
>
>/proc
> st_nlink: 31 33
>
>/export/home/tripwire/bin/databases/tw.db_msxgbgw1
> st_mtime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> st_ctime: Thu Sep 20 15:12:35 2001 Tue Aug 28 17:48:56 2001
> md5 (sig1): 0IwBXI:7wc0zkf6Fd.ZDz4 1WBpJzMF9qHs1S:hA7rVsd
> snefru (sig2): 0tfIUuhOX:2WTXxljSXXO0 1aPZdiJ7sUTvwi1OWKYEwh
>
>#
>
>This Message has been Checked at MSXI for all known Viruses.
>You open this at your own risk. Please make sure all replies are
>also virus free.
>MSXI