Date: Fri, 13 Jan 2006 19:24:36 +0100 From: Nick Martens <nick80@xs4all.nl> To: freebsd-stable@freebsd.org Subject: Re: kernel compile and tripwire alerts... Message-ID: <200601131924.36687.nick80@xs4all.nl> In-Reply-To: <43C7A8B3.9040001@permabit.com> References: <43C7A8B3.9040001@permabit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, most likely you were indeed l33t h4x0r3d, a kernel upgrade should not touch your ftp binary. you can try chkrootkit and/or rkhunter from the ports collection to verify this. Also chkrootkit may in my experience sometime give a false positive but it has been a while since I used it. I have never tried rkhunter. Good luck. On Friday 13 January 2006 14:18, Lee Whalen wrote: > Hey all, I've a question for the group, but first some brief > background information on my situation: I'm setting up an ftp server for > my company, pureftpd with TLS and virtual users, and because of the > relaxed firewall rules we need for this particular box, I installed > tripwire on there after got the ftp daemon installed and configured, and > before I brought the box "fully online" in the DMZ with an ipf firewall > configured. However, after the box was online, I decided to compile a > new kernel just to remove stuff that we didn't use (SCSI adapters, > wireless cards, all that stuff). I used the non-"make buildworld" way > (choice 1 in the FBSD Handbook), figured that maybe a few system files > would be touched, and that I'd see the small amount of changes in my > tripwire report and all would be good. I installed and booted the > kernel last night, no problem whatsoever, made sure the ftp was still > accessable via the outside world, firewall was in place and operational > (netcat rocks my socks for stuff like that!), and left for the night. > Well, I ran a tripwire --check this morning and was, to say the least, > quite surprised at the results. Just about every binary file on the > system showed as "modified", INCLUDING the ftp binaries (which to my > knowledge shouldn't be that connected to a kernel recompile) including > the tripwire binaries, including /dev files, all that good stuff. So, > my question for you all is, "what happened, and should I be > worried/reformat the box?" Was I l33t h4x0r3d so soon (this box is > maybe three days old, been on the network about two days)? Could any of > you all be so kind as to point me to a (preferably official) site that > has MD5/SHA1 hashes of various system binaries, so I can check a handful > of them manually for integrity? Has anything like this happened to any > of you when recompiling a "simple" kernel? > > Many thanks in advance for your help!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601131924.36687.nick80>