Re: Possible tirpwire false alarm?

From: Berend De Schouwer (bds@jhb.ucs.co.za)
Date: 10/15/01

Previous message: Sebastian Ip: "Possible tirpwire false alarm?"
In reply to: Sebastian Ip: "Possible tirpwire false alarm?"
Next in thread: Sebastian Ip: "Re: Possible tirpwire false alarm?"
Reply: Sebastian Ip: "Re: Possible tirpwire false alarm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Subject: Re: Possible tirpwire false alarm?
From: Berend De Schouwer <bds@jhb.ucs.co.za>
To: Sebastian Ip <9scki@qlink.queensu.ca>
Date: 15 Oct 2001 17:37:35 +0200
Message-Id: <1003160255.23489.117.camel@bds.ucs.co.za>

On Mon, 2001-10-15 at 14:25, Sebastian Ip wrote:
>
> Dear experienced security people
>
> I am in a fix and i need an answer really quick....
>
> I woke up today checked my personal linux firewall logs.. noticed that over
> night tirpwire results were in my mail box.. Checked it.. and ALARM!! ls has
> been modified along with gunzip, gzip, zcat and cpio. All of them in /bin.

Step 1: stay calm :)

What changed? sums, permissions, or timestamps? If you run tripwire
again, have the same files changed? If its different files, maybe you
have flaky hardware.
>
> Thanks
>
> Sebastian Ip
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- Berend De Schouwer

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Previous message: Sebastian Ip: "Possible tirpwire false alarm?"
In reply to: Sebastian Ip: "Possible tirpwire false alarm?"
Next in thread: Sebastian Ip: "Re: Possible tirpwire false alarm?"
Reply: Sebastian Ip: "Re: Possible tirpwire false alarm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: PDL anti-spam blacklist
... >:> This list is provided by the SecurityFocus ARIS analyzer service. ... >:> For more information on this free incident handling, management ... >:> and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: "Code Red" worm questions
... but from other research we think the worm only tries to attack ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: ...
(Incidents)
Re: Linux Kernel Exploits / ABFrag
... There have been lots of rumors ... > This list is provided by the SecurityFocus ARIS analyzer service. ... > For more information on this free incident handling, management ... > and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
Re: Bind 9.2.X exploit???
... >>> This list is provided by the SecurityFocus ARIS analyzer service. ... >>> For more information on this free incident handling, management ... >>> and tracking system please see: http://aris.securityfocus.com ...
(Incidents)
RE: "Nimda"?
... >I recently built a Redhat Linux 7.0 server to use as a web server. ... >This list is provided by the SecurityFocus ARIS analyzer service. ... >and tracking system please see: http://aris.securityfocus.com ...
(Incidents)