From owner-freebsd-stable@FreeBSD.ORG Fri Jan 13 13:18:19 2006 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F95216A420 for ; Fri, 13 Jan 2006 13:18:19 +0000 (GMT) (envelope-from law@permabit.com) Received: from postage-due.permabit.com (postage-due.permabit.com [66.228.95.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA96E43D66 for ; Fri, 13 Jan 2006 13:18:16 +0000 (GMT) (envelope-from law@permabit.com) Received: from [70.192.236.115] (115.sub-70-192-236.myvzw.com [70.192.236.115]) (authenticated bits=0) by postage-due.permabit.com (8.12.10/8.12.10) with ESMTP id k0DDI9qo025030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Fri, 13 Jan 2006 08:18:12 -0500 Message-ID: <43C7A8B3.9040001@permabit.com> Date: Fri, 13 Jan 2006 08:18:43 -0500 From: Lee Whalen User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: stable@freebsd.org Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Permabit-Spam: SKIPPED X-Scanned-By: MIMEDefang 2.39 Cc: Subject: kernel compile and tripwire alerts... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2006 13:18:19 -0000 Hey all, I've a question for the group, but first some brief background information on my situation: I'm setting up an ftp server for my company, pureftpd with TLS and virtual users, and because of the relaxed firewall rules we need for this particular box, I installed tripwire on there after got the ftp daemon installed and configured, and before I brought the box "fully online" in the DMZ with an ipf firewall configured. However, after the box was online, I decided to compile a new kernel just to remove stuff that we didn't use (SCSI adapters, wireless cards, all that stuff). I used the non-"make buildworld" way (choice 1 in the FBSD Handbook), figured that maybe a few system files would be touched, and that I'd see the small amount of changes in my tripwire report and all would be good. I installed and booted the kernel last night, no problem whatsoever, made sure the ftp was still accessable via the outside world, firewall was in place and operational (netcat rocks my socks for stuff like that!), and left for the night. Well, I ran a tripwire --check this morning and was, to say the least, quite surprised at the results. Just about every binary file on the system showed as "modified", INCLUDING the ftp binaries (which to my knowledge shouldn't be that connected to a kernel recompile) including the tripwire binaries, including /dev files, all that good stuff. So, my question for you all is, "what happened, and should I be worried/reformat the box?" Was I l33t h4x0r3d so soon (this box is maybe three days old, been on the network about two days)? Could any of you all be so kind as to point me to a (preferably official) site that has MD5/SHA1 hashes of various system binaries, so I can check a handful of them manually for integrity? Has anything like this happened to any of you when recompiling a "simple" kernel? Many thanks in advance for your help! -- Lee Whalen Permabit, Inc. Systems Integration Engineer