From owner-freebsd-stable@FreeBSD.ORG Fri Jan 13 18:23:10 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC26316A420 for ; Fri, 13 Jan 2006 18:23:10 +0000 (GMT) (envelope-from nick80@xs4all.nl) Received: from smtp-vbr8.xs4all.nl (smtp-vbr8.xs4all.nl [194.109.24.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7206743D5D for ; Fri, 13 Jan 2006 18:23:05 +0000 (GMT) (envelope-from nick80@xs4all.nl) Received: from nick (nickm.xs4all.nl [80.126.101.128]) by smtp-vbr8.xs4all.nl (8.13.3/8.13.3) with ESMTP id k0DIN3oT076923 for ; Fri, 13 Jan 2006 19:23:04 +0100 (CET) (envelope-from nick80@xs4all.nl) From: Nick Martens To: freebsd-stable@freebsd.org Date: Fri, 13 Jan 2006 19:24:36 +0100 User-Agent: KMail/1.8.3 References: <43C7A8B3.9040001@permabit.com> In-Reply-To: <43C7A8B3.9040001@permabit.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200601131924.36687.nick80@xs4all.nl> X-Virus-Scanned: by XS4ALL Virus Scanner Subject: Re: kernel compile and tripwire alerts... X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2006 18:23:10 -0000 Hi, most likely you were indeed l33t h4x0r3d, a kernel upgrade should not touch your ftp binary. you can try chkrootkit and/or rkhunter from the ports collection to verify this. Also chkrootkit may in my experience sometime give a false positive but it has been a while since I used it. I have never tried rkhunter. Good luck. On Friday 13 January 2006 14:18, Lee Whalen wrote: > Hey all, I've a question for the group, but first some brief > background information on my situation: I'm setting up an ftp server for > my company, pureftpd with TLS and virtual users, and because of the > relaxed firewall rules we need for this particular box, I installed > tripwire on there after got the ftp daemon installed and configured, and > before I brought the box "fully online" in the DMZ with an ipf firewall > configured. However, after the box was online, I decided to compile a > new kernel just to remove stuff that we didn't use (SCSI adapters, > wireless cards, all that stuff). I used the non-"make buildworld" way > (choice 1 in the FBSD Handbook), figured that maybe a few system files > would be touched, and that I'd see the small amount of changes in my > tripwire report and all would be good. I installed and booted the > kernel last night, no problem whatsoever, made sure the ftp was still > accessable via the outside world, firewall was in place and operational > (netcat rocks my socks for stuff like that!), and left for the night. > Well, I ran a tripwire --check this morning and was, to say the least, > quite surprised at the results. Just about every binary file on the > system showed as "modified", INCLUDING the ftp binaries (which to my > knowledge shouldn't be that connected to a kernel recompile) including > the tripwire binaries, including /dev files, all that good stuff. So, > my question for you all is, "what happened, and should I be > worried/reformat the box?" Was I l33t h4x0r3d so soon (this box is > maybe three days old, been on the network about two days)? Could any of > you all be so kind as to point me to a (preferably official) site that > has MD5/SHA1 hashes of various system binaries, so I can check a handful > of them manually for integrity? Has anything like this happened to any > of you when recompiling a "simple" kernel? > > Many thanks in advance for your help!