Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Tripwire Problem/question/panic
Robert83
post Mar 14 2004, 05:45 PM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

I've checked the tripwire reports, and yesterday this is what happened :

Modified object name: /usr/sbin/exportfs

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519367 519433
* Size 35992 38744
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:06 2004
* Blocks 72 80
* CRC32 Ahfpdc AwWkU2
* MD5 BRxB7sItj2zWvhpYwIszO6 A0D2ZqnYRreulRiREl7cNG


Modified object name: /usr/sbin/nfsstat

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519368 519367
* Size 7788 10092
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:06 2004
* Blocks 16 24
* CRC32 BWpoIb BYUlMG
* MD5 A0yWR28/riK95uoLLzW23m BuCDY3SKx4rqsuxdNyQi4M


Modified object name: /usr/sbin/nhfsgraph

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519369 519368
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:05 2004


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 14 2004, 05:47 PM
Post #2


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Modified object name: /usr/sbin/nhfsnums

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519370 519369
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:05 2004


Modified object name: /usr/sbin/nhfsrun

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519371 519370
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:05 2004


Modified object name: /usr/sbin/nhfsstone

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519372 519371
* Modify Time Fri Dec 12 18:35:24 2003 Fri Mar 12 03:29:06 2004


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
Robert83
post Mar 14 2004, 05:49 PM
Post #3


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Modified object name: /usr/sbin/rpc.mountd

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519373 519372
* Size 56216 64408
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:06 2004
* Blocks 120 136
* CRC32 Bm0zLm AxugLe
* MD5 AI3cxAM/d95Ig6IQNGOmOi CuPjRCxBkiIKSSjbmUng0M


Modified object name: /usr/sbin/rpc.nfsd

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519374 519373
* Size 4936 6680
* Modify Time Fri Dec 12 18:35:23 2003 Fri Mar 12 03:29:06 2004
* CRC32 D5FeTu Af6Qm3
* MD5 B36zABRcBrK9wQOXqvxk69 DYu++sXgyDqBLIEyjD1k3D


Modified object name: /usr/sbin/showmount

Property: Expected Observed
------------- ----------- -----------
* Inode Number 519375 519374
* Size 9896 10044
* Modify Time Fri Dec 12 18:35:24 2003 Fri Mar 12 03:29:06 2004
* CRC32 Ds8hej DgJd4d
* MD5 Abwtcj5f63VC7FTRYm38pt BSMEWIdd//Zl9paOdfS9fC

This is a problem then right?, or just another update [though I turned yum off in service]....
what to do now?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 14 2004, 09:04 PM
Post #4


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



I would look in the /var/log/messages and auth (and the iptables log) for logins around March 12 at 0329 am. All these files are binaries (and stats) for doing NFS ...Did you do NFS mounts on Friday Mar 12 at about 3:30am to that box?

If not, I would run chkrootkit ... Although, it looks as if not alot changed.


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post
Robert83
post Mar 15 2004, 04:50 AM
Post #5


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hi,

well I checked it

iptables has a log at 3:22 and at 3:33 but nothing at 3:29,
secure has nothing at all on mar 12, it ends with 10, and continues with 13 [I haven't logged in on 10-12 I think, but not sure, I will write a book from now on , on when I log in etc...]...

./chkrootkit shows that nothing is infected, [it runs in every 6 hrs with tripwire automaticaly, and sends me the report in e-mail].

And I did not do any NFS mounts on that day, I don't have any reason to do that on the firewall, but I did use ssh, mc [sometimes I copy files with shell link from mc, but not on that day, I wasn't even logged on, acording to secure].

And I've checked setup, and it says that yum is not running, but I've just checked /etc/init.d/yum status
and it says yum nightly uptade is enabled...wich means yum updated those files...I think right? smile.gif

How do I need to disable yum automatic updates, if not trough setup ?

Sincerely
Robert B


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post
hughesjr
post Mar 15 2004, 06:36 AM
Post #6


Its GNU/Linuxhelp.net
*******

Group: Admin
Posts: 3,433
Joined: 25-July 03
From: Corpus Chrsiti, TX, USA
Member No.: 1,151



cd /etc/init.d

chkconfig --list yum


mine looks like this with yum updates turned on:
CODE
yum             0:off   1:off   2:on    3:on    4:on    5:on    6:off

now use this command to turn it off
chkconfig --level 0123456 yum off

then check again with:

chkconfig --list yum

now my output is:
CODE
yum             0:off   1:off   2:off   3:off   4:off   5:off   6:off

That will prevent it from turning on when you start up the system ... also turn it off now with the command:

/etc/init.d/yum stop


--------------------
Johnny Hughes
hughesjr@linuxhelp.net
Enterprise Alternatives: CentOS, WhiteBoxEL
Favorite Workstation Distros (in order): CentOS, Gentoo, Debian Sarge, Ubuntu, Mandrake, FedoraCore, Slackware, SUSE
Favorite Server Distros (in order): CentOS, WhiteBoxEL, Debian Sarge, Slackware, Mandrake, FedoraCore, Gentoo, SUSE
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 17th October 2017 - 07:31 PM