kernel compile and tripwire alerts...

Fri Jan 13 10:23:10 PST 2006

Hi,
most likely you were indeed l33t h4x0r3d, a kernel upgrade should not touch 
your ftp binary. 
you can try chkrootkit and/or rkhunter from the ports collection to verify 
this. Also chkrootkit may in my experience sometime give a false positive but 
it has been a while since I used it. I have never tried rkhunter.
Good luck.

On Friday 13 January 2006 14:18, Lee Whalen wrote:
>    Hey all, I've a question for the group, but first some brief
> background information on my situation: I'm setting up an ftp server for
> my company, pureftpd with TLS and virtual users, and because of the
> relaxed firewall rules we need for this particular box, I installed
> tripwire on there after got the ftp daemon installed and configured, and
> before I brought the box "fully online" in the DMZ with an ipf firewall
> configured.  However, after the box was online, I decided to compile a
> new kernel just to remove stuff that we didn't use (SCSI adapters,
> wireless cards, all that stuff).  I used the non-"make buildworld" way
> (choice 1 in the FBSD Handbook), figured that maybe a few system files
> would be touched, and that I'd see the small amount of changes in my
> tripwire report and all would be good.  I installed and booted the
> kernel last night, no problem whatsoever, made sure the ftp was still
> accessable via the outside world, firewall was in place and operational
> (netcat rocks my socks for stuff like that!), and left for the night.
> Well, I ran a tripwire --check this morning and was, to say the least,
> quite surprised at the results.  Just about every binary file on the
> system showed as "modified", INCLUDING the ftp binaries (which to my
> knowledge shouldn't be that connected to a kernel recompile) including
> the tripwire binaries, including /dev files, all that good stuff.  So,
> my question for you all is, "what happened, and should I be
> worried/reformat the box?"  Was I l33t h4x0r3d so soon (this box is
> maybe three days old, been on the network about two days)?  Could any of
> you all be so kind as to point me to a (preferably official) site that
> has MD5/SHA1 hashes of various system binaries, so I can check a handful
> of them manually for integrity?  Has anything like this happened to any
> of you when recompiling a "simple" kernel?
>
> Many thanks in advance for your help!