Hey folks,
I'd appreciate your help with the following: on examining my tripwire
logs, I found an unusual entry:
*************** BEGIN TRIPWIRE **************************
Rule Name: OS executables and libraries (/bin)
Severity Level: 100
---------------------------------------------------------
----------------------------------------
Added Objects: 1
----------------------------------------
Added object name: /bin/crond
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /bin
Property: Expected Observed
------------- ----------- -----------
* Modify Time Wed Apr 24 21:05:39 2002 Sat May 25 06:26:58
2002
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/ps)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /bin/ps
Property: Expected Observed
------------- ----------- -----------
* Inode Number 294956 1228888
* Mode -r-xr-xr-x -rwxrwxr-x
* Size 63180 110
* Modify Time Tue Aug 28 04:16:31 2001 Sat May 25 06:26:58
2002
* Change Time Wed Apr 24 18:26:17 2002 Sat May 25 06:26:58
2002
* Blocks 136 8
* CRC32 A6XGfK BvJqvp
* MD5 CIHHrzH29EfimCD7c9wd2a
D3Q4qiuCeHsqyN8Sq/ycVD
******************** END TRIPWIRE *********************
So it looks like someone added a file called "crond " (yes - there is
a space in the name). The normal crond usually resides in /usr/sbin
and seems to be unaltered. It also looks like someone replaced the ps
command with another.
I've used netstat -aveep and there doesn't "seem" to be any
connections with this process:
/home/barry/ps -efewx | grep crond (another ps program from an
unaffected system)
1317 ? S 0:01 crond PWD=/
BOOT_FILE=/boot/vmlinuz-2.4.7-10 HOSTNAME=XXX.ucd.ie
CONSOLE=/dev/console PREVLEVEL=N AUT
14384 ? S 3:34 crond PWD=/dev/pf0 /
HOSTNAME=XXX.ucd.ie QTDIR=/usr/lib/qt3 LESSOPEN=|/usr/bin/lesspipe.sh
%s
Anyone ever seen this before??
--
Regards,
Barry O'Donovan barry.odonovan at ucd.ie
Mobile: +353 (0)86 2891589, Office: +353 (0)1 716 2454
Roinn na Riomheolaiochta, An Colaiste Ollscoile, Baile Atha Cliath.
Department of Computer Science, University College Dublin.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
