Hi Simon, > I have just had my daily tripwire report and it is horrible... loads of > files have been modified. I have included the summary here below. > We haven't touched the box ourselves so am I in trouble?
This Tripwire summary could be misleading. It's just a summary, so we don't know which files and directories it monitors to begin with. In specific we don't know which files apparently were removed and triggered this report. So I'd say that's not enough information to give a solid answer. But yes, the report - as fuzzy as it is - would make me suspicious as well. My recommendations are as follows: Look at the detailed tripwire report to find out which files were changed. Look at them, evaluate what legitimate reason could have cause the changes and if you find none, then try to find out what the changed files do. Grab chkrootkit from www.chkrootkit.org and run a test on your machine with that. Also do a portscan from the outside to check for open ports (disable Portsentry first, if you got it installed ;o). > Also the logcheck directly after this reports a restart could this be what > caused the changes? Restart of what? Was it a server reboot or just a restart of the logging facility? If it was a server reboot, then yes, this could have cause filesystem changes that an improperly configured Tripwire (or clone thereof) stumbles across under various circumstances. Hard to tell without knowing what your Tripwire monitors and what not. -- With best regards, Michael Stauber SOLARSPEED.NET _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
