|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Intresting problem concerning libresolv.so.2
From: Paul Gear (paul
gear.dyndns.org)
Date: Fri Apr 18 2003 - 22:53:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Sam Evans wrote:
>I've run into an interesting dilema with a machine that's running Solaris
>8.. It would appear as if the /usr/lib/libresolv.so.2 file changed, but
>didn't really change..
>
>What I mean is this.. We run Tripwire on this box, and Tripwire reported
>that the hash sums were different than what it expected. Everything else
>was the same (timestamps, inode, block values, etc). This would indicate
>that the contents changed inside the file..
>
>What's also interesting is that this is the *only* file that was listed in
>the tripwire report for the day. Nothing else changed (at least according
>to Tripwire).
>
I've had this happen to me on Linux. Only one file had changed, and the
changes seemed to be random. I compared the file with a known good copy
and the changes certainly were not trojans or anything like that. Most
things worked, but occasionally i'd get freezing or crashes.
I asked for suggestions on this list, and the main ones were faulty
motherboard and/or RAM. It turned out to be a failing disk in the
software RAID set: when i removed the faulty disk from the RAID set,
everything worked fine. I had to work out which disk was bad through
trial and error: i rebooted with one disk disconnected and tripwire
didn't complain, and with the other one, tripwire found multiple bad
checksums.
I think it less likely that a Sun (presumably with SCSI disk?) would
exhibit this behaviour without at least providing some clue in the
hardware diagnostics, but it is possible.
Paul
----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-incidents
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]