Hi, most likely you were indeed l33t h4x0r3d, a kernel upgrade should not touch your ftp binary. you can try chkrootkit and/or rkhunter from the ports collection to verify this. Also chkrootkit may in my experience sometime give a false positive but it has been a while since I used it. I have never tried rkhunter. Good luck.
On Friday 13 January 2006 14:18, Lee Whalen wrote: > Hey all, I've a question for the group, but first some brief > background information on my situation: I'm setting up an ftp server for > my company, pureftpd with TLS and virtual users, and because of the > relaxed firewall rules we need for this particular box, I installed > tripwire on there after got the ftp daemon installed and configured, and > before I brought the box "fully online" in the DMZ with an ipf firewall > configured. However, after the box was online, I decided to compile a > new kernel just to remove stuff that we didn't use (SCSI adapters, > wireless cards, all that stuff). I used the non-"make buildworld" way > (choice 1 in the FBSD Handbook), figured that maybe a few system files > would be touched, and that I'd see the small amount of changes in my > tripwire report and all would be good. I installed and booted the > kernel last night, no problem whatsoever, made sure the ftp was still > accessable via the outside world, firewall was in place and operational > (netcat rocks my socks for stuff like that!), and left for the night. > Well, I ran a tripwire --check this morning and was, to say the least, > quite surprised at the results. Just about every binary file on the > system showed as "modified", INCLUDING the ftp binaries (which to my > knowledge shouldn't be that connected to a kernel recompile) including > the tripwire binaries, including /dev files, all that good stuff. So, > my question for you all is, "what happened, and should I be > worried/reformat the box?" Was I l33t h4x0r3d so soon (this box is > maybe three days old, been on the network about two days)? Could any of > you all be so kind as to point me to a (preferably official) site that > has MD5/SHA1 hashes of various system binaries, so I can check a handful > of them manually for integrity? Has anything like this happened to any > of you when recompiling a "simple" kernel? > > Many thanks in advance for your help! _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
