Hi,
I have just deployed a new CentOS 6 server on my network. I'm new to CentOS but not to Linux. On my previous servers (debian) I have run tripwire. After some experimentation I have managed to get a twpol that works fairly well for a minimal CentOS 6 install. However, yesterday my tripwire reported this:
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
* User binaries 66 0 0 103
Tripwire Binaries 100 0 0 0
* Libraries 66 0 0 60
* Operating System Utilities 100 0 0 2
File System and Disk Administraton Programs
100 0 0 0
Kernel Administration Programs 100 0 0 0
Networking Programs 100 0 0 0
System Administration Programs 100 0 0 0
Hardware and Device Control Programs
100 0 0 0
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
(/sbin/rtmon)
Shell Related Programs 100 0 0 0
(/sbin/getkey)
Critical Utility Sym-Links 100 0 0 0
Shell Binaries 100 0 0 0
Critical system boot files 100 0 0 0
Critical configuration files 100 0 0 0
System boot changes 100 0 0 0
OS executables and libraries 100 0 0 0
Security Control 100 0 0 0
Login Scripts 100 0 0 0
Root config files 100 0 0 0
Total objects scanned: 21773
Total violations found: 165
===============================================================================
Object Detail:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 3
----------------------------------------
Modified object name: /usr/sbin/bonobo-activation-sysconf
Modified object name: /usr/sbin/mtr
Modified object name: /usr/sbin/packagekitd
-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /usr/lib/anaconda-runtime/loader/loader
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 99
----------------------------------------
Modified object name: /usr/bin/activation-client
Modified object name: /usr/bin/bc
Modified object name: /usr/bin/brasero
Modified object name: /usr/bin/cdda-player
Modified object name: /usr/bin/cheese
Modified object name: /usr/bin/csslint-0.6
Modified object name: /usr/bin/dig
Modified object name: /usr/bin/dwell-click-applet
Modified object name: /usr/bin/eog
Modified object name: /usr/bin/evince
Modified object name: /usr/bin/expr
Modified object name: /usr/bin/factor
Modified object name: /usr/bin/festival
Modified object name: /usr/bin/festival_client
Modified object name: /usr/bin/foomatic-perl-data
Modified object name: /usr/bin/gconftool-2
Modified object name: /usr/bin/gedit
Modified object name: /usr/bin/gnome-about-me
Modified object name: /usr/bin/gnome-appearance-properties
Modified object name: /usr/bin/gnome-audio-profiles-properties
Modified object name: /usr/bin/gnome-default-applications-properties
Modified object name: /usr/bin/gnome-keyboard-properties
Modified object name: /usr/bin/gnome-open
Modified object name: /usr/bin/gnome-panel
Modified object name: /usr/bin/gnome-system-monitor
Modified object name: /usr/bin/gnome-terminal
Modified object name: /usr/bin/gnome-volume-control
Modified object name: /usr/bin/gnome-volume-control-applet
Modified object name: /usr/bin/gnomevfs-cat
Modified object name: /usr/bin/gnomevfs-copy
Modified object name: /usr/bin/gnomevfs-df
Modified object name: /usr/bin/gnomevfs-info
Modified object name: /usr/bin/gnomevfs-ls
Modified object name: /usr/bin/gnomevfs-mkdir
Modified object name: /usr/bin/gnomevfs-monitor
Modified object name: /usr/bin/gnomevfs-mv
Modified object name: /usr/bin/gnomevfs-rm
Modified object name: /usr/bin/gpk-application
Modified object name: /usr/bin/gpk-install-catalog
Modified object name: /usr/bin/gpk-install-local-file
Modified object name: /usr/bin/gpk-install-mime-type
Modified object name: /usr/bin/gpk-install-package-name
Modified object name: /usr/bin/gpk-install-provide-file
Modified object name: /usr/bin/gpk-log
Modified object name: /usr/bin/gpk-prefs
Modified object name: /usr/bin/gpk-repo
Modified object name: /usr/bin/gpk-update-icon
Modified object name: /usr/bin/gpk-update-viewer
Modified object name: /usr/bin/gssdp-device-sniffer
Modified object name: /usr/bin/gst-inspect-0.10
Modified object name: /usr/bin/gst-launch-0.10
Modified object name: /usr/bin/gst-typefind-0.10
Modified object name: /usr/bin/gst-xmlinspect-0.10
Modified object name: /usr/bin/gst-xmllaunch-0.10
Modified object name: /usr/bin/gthumb
Modified object name: /usr/bin/host
Modified object name: /usr/bin/idevice_id
Modified object name: /usr/bin/idevicebackup
Modified object name: /usr/bin/ideviceinfo
Modified object name: /usr/bin/idevicesyslog
Modified object name: /usr/bin/info
Modified object name: /usr/bin/less
Modified object name: /usr/bin/lua
Modified object name: /usr/bin/nautilus
Modified object name: /usr/bin/nautilus-autorun-software
Modified object name: /usr/bin/nautilus-connect-server
Modified object name: /usr/bin/nautilus-file-management-properties
Modified object name: /usr/bin/nm-applet
Modified object name: /usr/bin/nm-connection-editor
Modified object name: /usr/bin/nslookup
Modified object name: /usr/bin/nsupdate
Modified object name: /usr/bin/pcregrep
Modified object name: /usr/bin/pcretest
Modified object name: /usr/bin/pidgin
Modified object name: /usr/bin/pinentry-curses
Modified object name: /usr/bin/pinentry-gtk-2
Modified object name: /usr/bin/pkcon
Modified object name: /usr/bin/pkgenpack
Modified object name: /usr/bin/pkmon
Modified object name: /usr/bin/plutil-1.2
Modified object name: /usr/bin/pointer-capture-applet
Modified object name: /usr/bin/qtconfig-qt4
Modified object name: /usr/bin/reporter-rhtsupport
Modified object name: /usr/bin/rsvg-convert
Modified object name: /usr/bin/rsvg-view
Modified object name: /usr/bin/seahorse
Modified object name: /usr/bin/seahorse-daemon
Modified object name: /usr/bin/totem
Modified object name: /usr/bin/totem-audio-preview
Modified object name: /usr/bin/totem-video-indexer
Modified object name: /usr/bin/totem-video-thumbnailer
Modified object name: /usr/bin/tsclient
Modified object name: /usr/bin/update-mime-database
Modified object name: /usr/bin/vim
Modified object name: /usr/bin/vinagre
Modified object name: /usr/bin/xmlcatalog
Modified object name: /usr/bin/xmllint
Modified object name: /usr/bin/xsltproc
Modified object name: /usr/bin/yelp
-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib64)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 59
----------------------------------------
Modified object name: /usr/lib64/festival/etc/audsp
Modified object name: /usr/lib64/gthumb/libgthumb.so
Modified object name: /usr/lib64/libabrt_web.so.0.0.1
Modified object name: /usr/lib64/libarchive.so.2.8.3
Modified object name: /usr/lib64/libbind9.so.60.0.4
Modified object name: /usr/lib64/libbonoboui-2.so.0.0.0
Modified object name: /usr/lib64/libbrasero-burn.so.0.2.0
Modified object name: /usr/lib64/libbrasero-utils.so.0.2.0
Modified object name: /usr/lib64/libcamel-1.2.so.14.0.1
Modified object name: /usr/lib64/libcroco-0.6.so.3.0.1
Modified object name: /usr/lib64/libdns.so.69.1.4
Modified object name: /usr/lib64/libebackend-1.2.so.0.0.1
Modified object name: /usr/lib64/libebook-1.2.so.9.3.1
Modified object name: /usr/lib64/libecal-1.2.so.7.2.2
Modified object name: /usr/lib64/libedata-book-1.2.so.2.4.1
Modified object name: /usr/lib64/libedata-cal-1.2.so.6.0.2
Modified object name: /usr/lib64/libedataserver-1.2.so.11.0.1
Modified object name: /usr/lib64/libedataserverui-1.2.so.8.1.1
Modified object name: /usr/lib64/libestools.so.1.2.96.1
Modified object name: /usr/lib64/libexslt.so.0.8.15
Modified object name: /usr/lib64/libglade-2.0.so.0.0.7
Modified object name: /usr/lib64/libgnome-2.so.0.2800.0
Modified object name: /usr/lib64/libgnome-media-profiles.so.0.0.0
Modified object name: /usr/lib64/libgnomekbd.so.4.0.0
Modified object name: /usr/lib64/libgnomekbdui.so.4.0.0
Modified object name: /usr/lib64/libgnomeui-2.so.0.2400.1
Modified object name: /usr/lib64/libgnomevfs-2.so.0.2400.2
Modified object name: /usr/lib64/libgsf-1.so.114.0.15
Modified object name: /usr/lib64/libgssdp-1.0.so.2.0.0
Modified object name: /usr/lib64/libgstaudio-0.10.so.0.20.0
Modified object name: /usr/lib64/libgstbase-0.10.so.0.25.0
Modified object name: /usr/lib64/libgstfarsight-0.10.so.0.3.1
Modified object name: /usr/lib64/libgstinterfaces-0.10.so.0.20.0
Modified object name: /usr/lib64/libgstpbutils-0.10.so.0.20.0
Modified object name: /usr/lib64/libgstreamer-0.10.so.0.25.0
Modified object name: /usr/lib64/libgsttag-0.10.so.0.20.0
Modified object name: /usr/lib64/libgstvideo-0.10.so.0.20.0
Modified object name: /usr/lib64/libgtksourceview-2.0.so.0.0.0
Modified object name: /usr/lib64/libgweather.so.1.5.2
Modified object name: /usr/lib64/libimobiledevice.so.0.0.0
Modified object name: /usr/lib64/libisc.so.62.1.1
Modified object name: /usr/lib64/libisccc.so.60.0.0
Modified object name: /usr/lib64/libisccfg.so.62.0.0
Modified object name: /usr/lib64/liblwres.so.60.0.1
Modified object name: /usr/lib64/libpackagekit-glib.so.12.0.6
Modified object name: /usr/lib64/libpackagekit-glib2.so.12.0.6
Modified object name: /usr/lib64/libpanel-applet-2.so.0.2.68
Modified object name: /usr/lib64/libpcreposix.so.0.0.0
Modified object name: /usr/lib64/libplist.so.1.1.2
Modified object name: /usr/lib64/libpurple.so.0.7.9
Modified object name: /usr/lib64/librsvg-2.so.2.26.0
Modified object name: /usr/lib64/libsoup-2.4.so.1.3.0
Modified object name: /usr/lib64/libsoup-gnome-2.4.so.1.3.0
Modified object name: /usr/lib64/libtotem-plparser.so.12.4.5
Modified object name: /usr/lib64/libvte.so.9.2501.0
Modified object name: /usr/lib64/libxklavier.so.15.0.0
Modified object name: /usr/lib64/libxmlrpc.so.3.16
Modified object name: /usr/lib64/libxmlrpc_client.so.3.16
Modified object name: /usr/lib64/libxslt.so.1.1.26
-------------------------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /sbin/multipathd
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/grep)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /bin/grep
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/vi)
Severity Level: 100
-------------------------------------------------------------------------------
----------------------------------------
Modified Objects: 1
----------------------------------------
Modified object name: /bin/vi
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.I hadn't performed an update recently and I can't think of anything I could have done to update these binaries. I have logged into this server from another server I run on the same network, which I don't think is rooted, but it has been up for several years. I have run chkrootkit and rkhunter which don't seem to have picked up anything, but I did not have these installed prior to the event that updated the binaries.
Any help or advice greatly received. I don't have physical access to the server for at least a week.
Thanks.
www.centos.org Forum Index
Have I got a rootkit?
Bottom 
Previous Topic 
Next Topic
Topic options
Threaded
Newest First
RikT
Top 
You cannot start a new topic.
You can view topic.