Security Portal: Tripwire - The Only Way to Really Know | Linux Today

Security Portal: Tripwire – The Only Way to Really Know

Written By
Web Webster
Web Webster
Jul 11, 2000

So you think you may have been hacked, but you’re really
not sure ’cause some crackers seem pretty stealthy. There really is
only one way to know – employ a file integrity checker
, like
Tripwire or AIDE. In this article, I’ll explain why you need
Tripwire/AIDE, what they do, and how you can deploy Tripwire. I’ll
give you a sample configuration that you can tune….”

“A cracker breaks into a system by exploiting an already present
vulnerability. After he hacks your computer, he’ll usually install
a rootkit and create or install several Trojan horses. The rootkit
replaces many of your system utilities to hide the attacker’s
activities. For instance, it replaces your ps command with one that
will not show the attacker’s programs. The Trojan horse programs
give the attacker a means to get back into your system with root,
so they don’t have to use the same exploit over and over.
(Sometimes, the cracker will even patch the original vulnerability,
to protect his new property!)”

“Your first (smaller) problem is this: you may not even know
you’ve been hacked! Often, the cracker doesn’t want to disrupt your
use/business – he just wants a launching platform for IRC bots,
DDoS programs, and sniffers. He’ll use his rootkit to stay out of
sight and the Trojan horses to regain access to the system without
tripping most forms of IDS. But, what if you do manage to realize
you’ve been hacked?”

“Your second, larger, problem comes in here: you don’t know
what’s changed on your system. Your system diagnostic tools have
all been replaced by a rootkit! You can’t trust ps, top, w, or even
ls…! You need some way of figuring out exactly what files have
changed, so you can put things back, patch any vulnerabilities, and
trust your own system again. You need a file integrity checker. You
absolutely, positively gotta kill every last illegal binary in the
room. Accept no substitutes!”

Complete
Story

Web Webster

Web Webster

Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.