Re: Possible tirpwire false alarm?

From: Berend De Schouwer (bds@jhb.ucs.co.za)
Date: 10/15/01


Subject: Re: Possible tirpwire false alarm?
From: Berend De Schouwer <bds@jhb.ucs.co.za>
To: Sebastian Ip <9scki@qlink.queensu.ca>
Date: 15 Oct 2001 17:37:35 +0200
Message-Id: <1003160255.23489.117.camel@bds.ucs.co.za>

On Mon, 2001-10-15 at 14:25, Sebastian Ip wrote:
>
> Dear experienced security people
>
> I am in a fix and i need an answer really quick....
>
> I woke up today checked my personal linux firewall logs.. noticed that over
> night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls has
> been modified along with gunzip, gzip, zcat and cpio. All of them in /bin.

Step 1: stay calm :)

What changed? sums, permissions, or timestamps? If you run tripwire
again, have the same files changed? If its different files, maybe you
have flaky hardware.
>
> Thanks
>
> Sebastian Ip
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
Berend De Schouwer

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: PDL anti-spam blacklist
    ... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: "Code Red" worm questions
    ... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ...
    (Incidents)
  • Re: Linux Kernel Exploits / ABFrag
    ... There have been lots of rumors ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: Bind 9.2.X exploit???
    ... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: "Nimda"?
    ... >I recently built a Redhat Linux 7.0 server to use as a web server. ... >This list is provided by the SecurityFocus ARIS analyzer service. ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)