Two questions:

1) Do you have a backup software that might have
reset the archive bits on every file?

2) Can you confirm/deny that the Windows 2000 file
protection didn't audit all of your files and
manipulate them somewhere?

If ALL the files got changed and you can verify they
were changed (a simple and unreliable method would be
to get a list of all system files and their sizes and
dates from a fresh install of the software and service
packs and compare them to your current) then you might
have gotten Root-Kit'ed.

--- jfolkertsmarketlink.ca wrote:
> Hello List!
>
> Hopefully I have missed something obvious here. Any
> advise would be greatly
> appreciated, especially any links, if you know of
> them.
>
> Here's the situation.
>
> I have a web server, with Tripwire (2.2.1) installed
> (NT 4.0 SP 6a) running
> IIS 4.0 and Microsoft Site Server Commerce Edition
> 3.0 SP 4. Everything
> patched, fully (on the NT and IIS side, not sure if
> there are any patches or
> upgrades for Tripwire).
>
> Tripwire seems to be running fine normally and only
> alerts on files that I
> know it should be alerted on, due to preset rules.
>
> Today when I came into the office, and began
> reviewing the tripwire reports,
> it was alerting to hundreds of violations, spanning
> the entire system (all
> drives, all directories). Looking deeper, every
> file that it alerted on,
> was showing a modified Access time, nothing else was
> changed.
>
> Now the funny thing (at least to me) is that this
> "access time" change was
> not universal. For example, some files in the
> \WINNT\SYSTEM32 directory
> were changed (.dll's), but not all of them. The
> \REPAIR (all repair files)
> directory showed modifications, as well as other
> "strange" directories, such
> as downloaded files and archives, like a full
> version of IE 4.01 SP2 (all
> .CABS), and IE 5.0 (all .CABS).
>
> I have 2 theories, both completely wrong, I would
> suspect :0
> 1)
> Is there is some type of NTFS "database" (for lack
> of a better word) that
> will periodically scan files to determine whether
> it's DB is current with
> the actual file in the system. Is there such a
> thing in NT 4. I have found
> references to W2K file Journaling, but nothing
> similar for NT4 (and not much
> info on whether Journaling modifies Access Times in
> W2K).
>
> 2) That Site Server has some type of "self-heal" or
> repair facility that
> will periodically check to make sure that it's core
> files exist? (sort of
> like the W2K file protection)
>
> I have also verified that the AV software DID not
> run, nor did any user
> access the files in question. The Security Event
> log verifies this as well.
>
> Any help would be appreciated, or is just expected
> behaviour from NT?
>
> Justin
>
>

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]