Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

AIDE warnings following kernel upgrade

from [dmargoli] Network Security [Permanent Link]
Subject: AIDE warnings following kernel upgrade
Date: Mon, 16 Aug 2004 19:40:01 -0400 
Hi,

I'm writing regarding some strange behaviour on a machine of mine.

The machine:
Debian stable, previously running Debian sources 2.4.18, just upgraded to a grsecurity-patched vanilla 2.4.27. Apache1.3, Postfix, Mailman. Fairly typical setup.

What happened:
As I said, I upgraded from the Debian sources (they appear to have a handful of local DoS and priv-escalation vulnerabilities that have gone unpatched) to 2.4.27 with GRSecurity patches applied.

After the upgrade, AIDE, which runs on a nightly cron, warns me that nearly all files have been changed (contents of /lib/modules/2.4.18/, which makes little sense, /bin/bash, /usr/bin/perl, /usr/lib/apt, files in /var, /lib, /bin, /usr/local, you name it). The change appears to be minor changes in the bcount (e.g. File: /bin/bash Bcount : 1001, 1000).

So obviously I'm worried about the possibility of an intrusion. This seems a bit odd, however; while I don't trust the output of chkrootkit (which doesn't find anything), I have to wonder about the conjunction between this and the kernel upgrade. Is it likely that somebody loaded something malicious into my boot loader (GRUB) so that when I rebooted (first time in a few weeks), something nasty happened? If so, why would so many files be changed (I wouldn't really expect someone to trojan /usr/lib/libfakeroot...)? That makes it a bit obvious. Or is it possible that somebody altered my sources so that when I got around to compiling and upgrading, I loaded a trojaned version?

Further, is it possible that these restrictive GRSecurity options, or simply the newer kernel, might result in these files failing their checks?

I'll admit, I'm trying to find reassurance that I haven't been rooted. Rebuilding this machine will be a pain. Any ideas?

Thanks.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security CheatSheets, skill2die4
Next by Date:  Securing web site with redundancy ?, Bénoni MARTIN
Previous by Thread:  Internet filtering at the packet level?, Will - Security Engine
Next by Thread:  RE: AIDE warnings following kernel upgrade, Michael Shirk
Indexes:  [Date] [Thread] [Top] [All Lists]