[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: breakin?

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: breakin?
From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
Date: Thu, 24 May 2007 04:00:04 -0300
Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=IXI+9gOxxQoLSRplYDLh3sxilupHkVbm1xizEX924OaeQQ6srbJGvX+EQ/0iQI8wx8XJo7hh1GpBADsjFY5Asnm5ewZp1qGN3McdbFFEhvQhF4EzBimB9qu2YcQJhK0OFlpn7ENdHJQYT9iJcHrcnhZgRh8gzUipJ1g3PvXVaOU=

Hi Martin,

I have seen it before on systems that have prelink enabled and when it
is updated, all binaries are changed. However, without more information
from your system, I can't tell for sure.

http://www.die.net/doc/linux/man/man8/prelink.8.html
https://mailman.cs.tut.fi/pipermail/aide/2005-May/000129.html

*Btw, I would suggest disabling it. The performance gain is very small
compared to the security costs (not knowing exactly which files
changed).

Hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net

On 5/23/07, Martin West <martin@xxxxxxxxxxxxxxxx> wrote:
>
>
> ossec just threw up some files in usr/bin had changed and they hadnt
> been upgraded by yum.
>
> Some stuff in ncurses and less, so I moved out to a quarantine folder
> and reinstalled the rpms for the affected files.
>
> How can I tell if this is a virus?
>
> Thanks
>
> --
> Regards
> Martin West
>

References:
- [ossec-list] breakin?
  - From: Martin West

Prev by Date: [ossec-list] OSSEC-WUI question
Next by Date: [ossec-list] Re: Behavior of MS Windows "Agent"
Previous by thread: [ossec-list] breakin?
Next by thread: [ossec-list] Re: Behavior of MS Windows "Agent"
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.