IDS goes off at /etc
Hi, Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is. changed: drwxr-xr-x root 4096 Jul 16 22:05:13 2002 /etc ... ### Attr Observed (what it is) Expected (what it should be) ### =========== ============================= ============================= /etc st_mtime: Tue Jul 16 22:05:13 2002 Sat Jul 13 11:16:03 2002 st_ctime: Tue Jul 16 22:05:13 2002 Sat Jul 13 11:16:03 2002 Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
On Wed, Jul 17, 2002 at 11:24:33AM +0200, Matthias Riese wrote:
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
Are you using dhcp to configure your network? Do you use any dynamic dialup tools like pppd? There's pretty much code rooting around in /etc, but it's hard to tell which application did it without knowing what you're doing :) Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Olaf Kirch <okir@suse.de> writes:
On Wed, Jul 17, 2002 at 11:24:33AM +0200, Matthias Riese wrote:
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
Are you using dhcp to configure your network? Do you use any dynamic dialup tools like pppd? There's pretty much code rooting around in /etc, but it's hard to tell which application did it without knowing what you're doing :)
I don't think it's dhcpcd. It did it job 5 days ago: ls -l resolv.conf* -rw-r--r-- 1 root root 1029 Jul 12 10:00 resolv.conf -rw-r--r-- 1 root root 65 Aug 7 2001 resolv.conf.saved.by.dhcpcd /var/state/dhcp doesn't indicate there was a new lease in the meantime. Otherwise there are no dial-up script or similiar. Whatever it is, it's running EACH night between 22:00 and 23:00. I already digged through all tabs and scripts in /etc/cron* /etc/cron.*/* /var/spool/cron/tabs/* but couldn't find anything. I thought it's quite uncommon to mess around in /etc. However I think I can live with it because a real intrusion will probably change not only mtime and ctime of /etc. ;-) Best regards from Bremen, Mit freundlichen Grüßen aus Bremen, Matthias Riese
On Wed. Jul. 17, 2002 at 11:24:33 +0200 GMT, a lone cry was heard from Matthias Riese <matthias.riese@b-novative.de> in the wasteland called the Internet:
Hi,
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
The daily maintainance and security cron jobs. Charles -- There are no threads in a.b.p.erotica, so there's no gain in using a threaded news reader. (Unknown source)
Hi,
Does anybody know what makes my IDS (tripwire) go off at /etc each other day? No changes otherwise. Just the directory /etc being modified. I suppose something creates and removes again a file in /etc regularly, but can't figure out what it is.
The daily maintainance and security cron jobs.
Those shouldn't create any files directly in /etc (more in /var). What you have seen is most likely a result of a mount command creating a temporary file named /etc/mtabXXX (XXXX is arbitrary) when /etc/mtab is changed. This changes the mtime of the directory inode.
Charles
Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE Linux AG - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
participants (4)
-
Charles Philip Chan
-
Matthias Riese
-
Olaf Kirch
-
Roman Drahtmueller