binary that changed

To: debian security list <debian-security@lists.debian.org>
Subject: binary that changed
From: Jeff Coppock <jcoppock1@home.com>
Date: Sat, 29 Sep 2001 21:47:59 -0700
Message-id: <[🔎] 20010929214759.A2772@nortelnetworks.com>
Mail-followup-to: debian security list <debian-security@lists.debian.org>

I'm new to aide and tripwire.  I'm currently running aide on one
of my systems and in the report I got today, the following
entries showed up and is alarming me.  I don't recall running
"apt-get update && apt-get upgrade" on this woody system.  I'm
used to seeing the log files and tty's changing, which is normal
from what I've read.  

changed:/usr/bin
changed:/usr/bin/aide
changed:/usr/sbin

File: /usr/bin
Mtime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22
Ctime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22

File: /usr/bin/aide
MD5: old = Ou+SgZdGdcx4E3VPzKf2Fw== , new = Ys9Icpz79CrH9RxveA6Fhg==
SHA1: old = 4S4enqdjjNR/JgOnKDmQ8y+KU8s= , new = fusOGPoAMUIwimDGfSIXFhezUKs=

File: /usr/sbin
Mtime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22
Ctime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22

I'm thinking some kind of root-kit, but why would this show up? 
If done properly, the attacker would run --init with their new
aide binary to replace the database.  Anyway, I ran "aide
--check" using a copy of the original database and it comes up
with the same result as above.

I also run snort, but in the recent flurry of "IIS attacks",
it's hard to dig through the huge log files for other attacks
that might be caught.

If anyone has any idea's on this, I'd really appreciate it.

thanks,
jc

-- 

Jeff Coppock		Nortel Networks
Systems Engineer	http://nortelnetworks.com

Reply to:

Prev by Date: Re: Kernel problem ?
Next by Date: Security on debian
Previous by thread: Re: Kernel problem ?
Next by thread: Security on debian
Index(es):
- Date
- Thread