Hi everyone, I'm having a very perplexing problem that's troubling me no end. It all started one morning when i found this in the nightly tripwire report from my Linux firewall/router (then running Red Hat 7.2 with all updates applied): ------------------------------------------------------------------------------- Rule Name: OS executables and libraries (/lib) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/lib/libc-2.2.4.so" Obviously, this set off alarm bells in my head. The tripwire report said that the checksum had changed, but not the timestamp, ownership, etc. I found this unusual, so i pulled a good copy of the library from my updates copy and compared the files. What i found was two changed function names as follows: gear02:/root/keep/lib # diff strings.* 2239c2239 < __strcp _smqll --- > __strcpy_small 2388c2388 < ifmfre5nameindex --- > if_freenameindex gear02:/root/keep/lib # diff od.* 4701c4701 < 0223520 e x \0 _ _ s t r c p \t _ s m q l --- > 0223520 e x \0 _ _ s t r c p y _ s m a l 4829c4829 < 0227520 d r a n d 4 8 \0 i f m f r e 5 n --- > 0227520 d r a n d 4 8 \0 i f _ f r e e n I searched for __strcp\t_smqll and ifmfre5nameindex on google, but found nothing. There was no other evidence of a breakin. There was nothing unusual in the logs; the system seemed to be running normally; my cable modem bandwidth wasn't being chewed up very quickly; i had process accounting running, but it didn't seem to have anything helpful to offer (not that i'd be much at reading it anyway). However, being the paranoid person that i am, i decided not to risk it, and had a friend disconnect it from the outside world. (I was away on holidays at the time.) When i returned, i investigated (a little) more, and then reinstalled on Red Hat 7.3, restored/recreated configurations, and reconnected the system (after taking an image of the hard disk). (On a related note, does anyone know if it's possible to access a compressed partition via a loopback mount? At the moment, i have to uncompress it to look at it.) All seemed well until this morning, when i got the following in my tripwire report: ------------------------------------------------------------------------------- Rule Name: Critical system boot files (/boot) Severity Level: 100 ------------------------------------------------------------------------------- Modified: "/boot/grub/stage2" Now this one is a little bit trickier. As far as i'm aware, the file is only used on bootup. Its diff (od -c against a good file) looks like this: gear02:/root/keep # diff -u stage2.* --- stage2.1 Wed Jun 26 05:50:52 2002 +++ stage2.2 Wed Jun 26 05:50:43 2002 @@ -20,11 +20,7 @@ 0000460 212 004 < \0 u 362 303 \0 \0 \0 \0 \0 \0 \0 \0 \0 0000500 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 * -0000660 \0 \0 \0 \0 \0 \0 \0 \0 207 035 004 \0 0 \0 \0 " -0000700 \a 035 004 \0 @ \0 \0 032 277 034 004 \0 \b \0 \0 031 -0000720 247 034 004 \0 020 \0 \0 027 ? 034 004 \0 \b \0 \0 026 -0000740 257 033 004 \0 020 \0 \0 024 _ 033 004 \0 ( \0 \0 017 -0000760 ? 030 004 \0 \b \0 \0 016 X 024 004 \0 / \0 \b +0000760 257 340 \f \0 240 \0 \0 024 H 340 \f \0 _ \0 \b 0001000 352 p 202 \0 \0 \0 003 002 377 377 \0 \0 \0 \0 \0 \0 0001020 \0 \0 0 . 9 1 \0 ( h d 0 , 0 ) / b 0001040 o o t / g r u b / g r u b . c o Now i'm guessing this (being boot loader code) is x86 assembler. What i don't know is whether it's random garbage or i have some sort of persistent attacker finding holes into my system despite the latest updates. Again, nothing else seems to be wrong - my bandwidth usage is good, and there is nothing suspicious in the log. I've done TCP and UDP port scans with nmap from another system and no additional ports seem to be open. I'm starting to think this is something like bad RAM or a motherboard problem (it's a fairly old machine). I have the disk mirrored using Linux software RAID, so i would have thought a problem on one of the disks would have been picked up. Can anyone offer any suggestions? Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 18:52:35 PDT