From owner-freebsd-security  Fri Aug  7 18:38:24 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA07643
          for freebsd-security-outgoing; Fri, 7 Aug 1998 18:38:24 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07617
          for <freebsd-security@freebsd.org>; Fri, 7 Aug 1998 18:38:16 -0700 (PDT)
          (envelope-from k.stevenson@louisville.edu)
Received: from homer.louisville.edu (ktstev01@homer.it-datacntr.louisville.edu [136.165.1.20])
	by unix1.it-datacntr.louisville.edu (8.8.7/8.8.7) with ESMTP id VAA24188;
	Fri, 7 Aug 1998 21:37:48 -0400
Received: (from ktstev01@localhost)
	by homer.louisville.edu (8.8.8/8.8.8) id VAA02272;
	Fri, 7 Aug 1998 21:37:48 -0400 (EDT)
Message-ID: <19980807213747.A1702@homer.louisville.edu>
Date: Fri, 7 Aug 1998 21:37:47 -0400
From: Keith Stevenson <k.stevenson@louisville.edu>
To: Brett Glass <brett@lariat.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Does this mean we have another breakin?
Mail-Followup-To: Brett Glass <brett@lariat.org>,
	freebsd-security@freebsd.org
References: <o1zqteasq.fsf@mew.gol.com> <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <o90l2bshu.fsf@mew.gol.com> <19980806131045.A28059@keltia.freenix.fr> <o1zqteasq.fsf@mew.gol.com> <19980807122035.A4145@keltia.freenix.fr> <199808072337.RAA13808@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <199808072337.RAA13808@lariat.lariat.org>; from Brett Glass on Fri, Aug 07, 1998 at 03:17:43PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Aug 07, 1998 at 03:17:43PM -0600, Brett Glass wrote:
> We have set up Tripwire, and are getting "Alarums and Excursions" (with
> apologies to old Will Shakespeare) from changed "last modification" dates
> on executables.
> 

Are the file checksums changing?  If not, then the binary probably is safe.
The Ports version of tripwire does a MD5 hash on the contents of /bin /lkm
/sbin /stand /usr/bin /usr/lib /usr/libdata /usr/libexec /usr/local/bin 
/usr/local/lib /usr/local/libexec /usr/local/sbin /usr/local/share /usr/sbin
and /usr/share .  (At least I _think_ this is what it does based upon my
reading of the default tw.config file installed by the port.

MD5 is a pretty good checksum.  It is highly unlikely that someone could 
alter a binary in such a way to maintain the file size and MD5 checksum.
If you are truly paranoid, remove the "-2" from the end of the "ignore list".
(See the documentation at the top of the tw.conf file.)  This will enable a 
second cryptographic checksum at a significant performance penalty.  It is
_extremely unlikely_ that a trojan'd binary could pass both checksum tests.

Regards,
--Keith Stevenson--

-- 
Keith Stevenson
System Programmer - Data Center Services - University of Louisville
k.stevenson@louisville.edu
PGP key fingerprint =  4B 29 A8 95 A8 82 EA A2  29 CE 68 DE FC EE B6 A0

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message