Snort mailing list archives
Re: False alarm?
From: Sebastian Ip <9scki () qlink queensu ca>
Date: Mon, 15 Oct 2001 09:38:57 -0400
I did they say look at google which is about as helpful as well certain brown substances. On Sunday 14 October 2001 09:09, you wrote:
You might address this question to a more appropriate forum, such as the Incidents list at SecurityFocus. The address for the list is incidents () securityfocus com, and its home is www.securityfocus.com. roo aka. Benjamin Krueger ----- Original Message ----- From: "Sebastian Ip" <9scki () qlink queensu ca> To: <snort-users () lists sourceforge net> Sent: Monday, October 15, 2001 5:27 AM Subject: [Snort-users] False alarm?Dear experienced security people I woke up today checked my personal linux firewall logs.. noticed thatovernight tirpwire results were in my mail box.. Checked it.. and ALARM!! lshasbeen modified along with gunzip, gzip, zcat and cpio. All of them in /bin. So i was like F***!! something's wrong.. But what can be wrong? I didn'tdonothing and my firewall blocks everything but sendmail, named and ssh.Noneof those have any known problems for 7.1 that i haven't patched for. Ok .. save the sendmail local root thing. But i don't have any local users! justmeme me! The only problem i can see is that i opened my ftp for one of my friends. But that was restricted to his ip only. And i don't know of anynewwu-ftp bug (yes yes i know but i don't usually host ftps). So anyhow i decided not to panic and reinstall from scratch because firstofall it's just odd that only ls and a few other file's been changed. Logs shows nothing but those could have been changed. And i have a midterm next week i have to study for. So i found my redhat 7.1 cds found the right rpm extracted the file lsfromthat on my own workstation and md5sumed the copy on the firewall and theoneextracted from the rpm. The results came back the same. Which leaves mewiththe question. Am i going to have to reinstall? Or is this just an exampleofhow tripwire can screw up royally at a very odd time? So eh if anyone wants to tell me what to do next drop me a line i'll be eternaly grateful. Thanks Sebastian Ip _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False alarm? Sebastian Ip (Oct 15)
- Message not available
- Re: False alarm? Sebastian Ip (Oct 15)
- Message not available