Re: Intresting problem concerning libresolv.so.2

From: Paul Gear (paulat_private)
Date: Fri Apr 18 2003 - 20:53:21 PDT

Next message: sfat_private: "Mo'Logs"

Previous message: Skip Carter: "port 139 syn-fin scans"
In reply to: Sam Evans: "Intresting problem concerning libresolv.so.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sam Evans wrote:

>I've run into an interesting dilema with a machine that's running Solaris
>8..  It would appear as if the /usr/lib/libresolv.so.2 file changed, but
>didn't really change..
>
>What I mean is this..  We run Tripwire on this box, and Tripwire reported
>that the hash sums were different than what it expected.  Everything else
>was the same (timestamps, inode, block values, etc).  This would indicate
>that the contents changed inside the file..
>
>What's also interesting is that this is the *only* file that was listed in
>the tripwire report for the day.  Nothing else changed (at least according
>to Tripwire).
>

I've had this happen to me on Linux.  Only one file had changed, and the 
changes seemed to be random.  I compared the file with a known good copy 
and the changes certainly were not trojans or anything like that.  Most 
things worked, but occasionally i'd get freezing or crashes.

I asked for suggestions on this list, and the main ones were faulty 
motherboard and/or RAM.  It turned out to be a failing disk in the 
software RAID set: when i removed the faulty disk from the RAID set, 
everything worked fine.  I had to work out which disk was bad through 
trial and error: i rebooted with one disk disconnected and tripwire 
didn't complain, and with the other one, tripwire found multiple bad 
checksums.

I think it less likely that a Sun (presumably with SCSI disk?) would 
exhibit this behaviour without at least providing some clue in the 
hardware diagnostics, but it is possible.

Paul

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: sfat_private: "Mo'Logs"
Previous message: Skip Carter: "port 139 syn-fin scans"
In reply to: Sam Evans: "Intresting problem concerning libresolv.so.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 19 2003 - 22:00:25 PDT