kernel compile and tripwire alerts...

[Lee Whalen]

   Hey all, I've a question for the group, but first some brief 
background information on my situation: I'm setting up an ftp server for 
my company, pureftpd with TLS and virtual users, and because of the 
relaxed firewall rules we need for this particular box, I installed 
tripwire on there after got the ftp daemon installed and configured, and 
before I brought the box "fully online" in the DMZ with an ipf firewall 
configured.  However, after the box was online, I decided to compile a 
new kernel just to remove stuff that we didn't use (SCSI adapters, 
wireless cards, all that stuff).  I used the non-"make buildworld" way 
(choice 1 in the FBSD Handbook), figured that maybe a few system files 
would be touched, and that I'd see the small amount of changes in my 
tripwire report and all would be good.  I installed and booted the 
kernel last night, no problem whatsoever, made sure the ftp was still 
accessable via the outside world, firewall was in place and operational 
(netcat rocks my socks for stuff like that!), and left for the night. 
Well, I ran a tripwire --check this morning and was, to say the least, 
quite surprised at the results.  Just about every binary file on the 
system showed as "modified", INCLUDING the ftp binaries (which to my 
knowledge shouldn't be that connected to a kernel recompile) including 
the tripwire binaries, including /dev files, all that good stuff.  So, 
my question for you all is, "what happened, and should I be 
worried/reformat the box?"  Was I l33t h4x0r3d so soon (this box is 
maybe three days old, been on the network about two days)?  Could any of 
you all be so kind as to point me to a (preferably official) site that 
has MD5/SHA1 hashes of various system binaries, so I can check a handful 
of them manually for integrity?  Has anything like this happened to any 
of you when recompiling a "simple" kernel?

Many thanks in advance for your help!
-- 
Lee Whalen
Permabit, Inc.
Systems Integration Engineer