FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-28-2012, 02:03 AM
Jobst Schmalenbach
 
Default Changes to inodes discovered by aide

Hi.

On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to.

The day before I updated "clam*" and updated the aide database right after that:

-rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz


The problem was that the changes were made when no-one was in the office, here are a few:

Directory: /usr/sbin
Mtime : 2012-09-26 10:55:15 , 2012-09-27 06:36:42
Ctime : 2012-09-26 10:55:15 , 2012-09-27 06:36:42
File: /usr/sbin/wpa_supplicant
Ctime : 2012-09-07 06:39:44 , 2012-09-27 06:36:40
Inode : 2490595 , 2490536
MD5 : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= , AlSPQGiVe+/T8YdHDSIypI904kA=
SHA256 : OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu , z1c9XCKVyjDzDuN7t32B+sbj6nil90TK
File: /usr/sbin/clamav-milter
Size : 202453 , 206637
Ctime : 2012-09-26 10:55:15 , 2012-09-27 06:36:37
Inode : 2490507 , 2490625
MD5 : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= , MPbEoKH/ws3aWA+sBuycRvU9DP0=
SHA256 : aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i , u0oTtBkHjchhlY8AIejOfKPoJRencpmK


Yum does not report anything (last 4 lines os yum.log)

Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64

I ran (a fresh install) of rkhunter, did not find a thing ...

Is it possible that a change to one file sets of a domino effect of indode changes?


thanks
Jobst




--
Diplomacy: The art of saying, "Nice Doggy," until you can find a stick.

| |0| | Jobst Schmalenbach, jobst@barrett.com.au, General Manager
| | |0| Barrett Consulting Group P/L & The Meditation Room P/L
|0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-28-2012, 08:31 AM
Tony Molloy
 
Default Changes to inodes discovered by aide

On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
> Hi.
>
> On one of my servers aide just reported inode changes to a large
> bunch of files in a variety of directories, e.g. /usr/bin,
> /usr/sbin etc. This machine sits behind a couple of firewalls and
> it would be hard to get to.
>
> The day before I updated "clam*" and updated the aide database
> right after that:
>
> -rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz
>
>
> The problem was that the changes were made when no-one was in the
> office, here are a few:
>
> Directory: /usr/sbin
> Mtime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:42 Ctime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:42 File: /usr/sbin/wpa_supplicant
> Ctime : 2012-09-07 06:39:44 , 2012-09-27
> 06:36:40 Inode : 2490595 , 2490536 MD5
> : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
> RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= ,
> AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 :
> OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
> z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
> Size : 202453 , 206637
> Ctime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:37 Inode : 2490507 , 2490625 MD5
> : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
> RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= ,
> MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 :
> aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
> u0oTtBkHjchhlY8AIejOfKPoJRencpmK
>
>
> Yum does not report anything (last 4 lines os yum.log)
>
> Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
> Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
> Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
> Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
>
> I ran (a fresh install) of rkhunter, did not find a thing ...
>
> Is it possible that a change to one file sets of a domino effect of
> indode changes?
>
>
> thanks
> Jobst
>

Just a thought. I run tripwire, planning to switch to aide, and
occasionally see the same. Lots of changes reported reported in /bin
type directories. In my case it's caused by a run of prelink updating
lots of files in /bin.

Tony
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-01-2012, 04:03 AM
Jobst Schmalenbach
 
Default Changes to inodes discovered by aide

Hi

Correct, looking at the log of "prelink.full" and "prelink.quick" the
times match the inode changes using "aide -c".

thanks
Jobst


On Fri, Sep 28, 2012 at 09:31:19AM +0100, Tony Molloy (tony.molloy@ul.ie) wrote:
> On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
> > Hi.
> >
> > On one of my servers aide just reported inode changes to a large
> > bunch of files in a variety of directories, e.g. /usr/bin,
> > /usr/sbin etc. This machine sits behind a couple of firewalls and
> > it would be hard to get to.
> >
> > The day before I updated "clam*" and updated the aide database
> > right after that:
> >
> > -rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz
> >
> >
> > The problem was that the changes were made when no-one was in the
> > office, here are a few:
> >
> > Directory: /usr/sbin
> > Mtime : 2012-09-26 10:55:15 , 2012-09-27
> > 06:36:42 Ctime : 2012-09-26 10:55:15 , 2012-09-27
> > 06:36:42 File: /usr/sbin/wpa_supplicant
> > Ctime : 2012-09-07 06:39:44 , 2012-09-27
> > 06:36:40 Inode : 2490595 , 2490536 MD5
> > : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
> > RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= ,
> > AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 :
> > OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
> > z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
> > Size : 202453 , 206637
> > Ctime : 2012-09-26 10:55:15 , 2012-09-27
> > 06:36:37 Inode : 2490507 , 2490625 MD5
> > : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
> > RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= ,
> > MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 :
> > aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
> > u0oTtBkHjchhlY8AIejOfKPoJRencpmK
> >
> >
> > Yum does not report anything (last 4 lines os yum.log)
> >
> > Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
> > Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
> > Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
> > Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
> >
> > I ran (a fresh install) of rkhunter, did not find a thing ...
> >
> > Is it possible that a change to one file sets of a domino effect of
> > indode changes?
> >
> >
> > thanks
> > Jobst
> >
>
> Just a thought. I run tripwire, planning to switch to aide, and
> occasionally see the same. Lots of changes reported reported in /bin
> type directories. In my case it's caused by a run of prelink updating
> lots of files in /bin.
>
> Tony
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

--
Though the pen IS mightier than the sword, the sword is mightier at any given moment.

| |0| | Jobst Schmalenbach, jobst@barrett.com.au, General Manager
| | |0| Barrett Consulting Group P/L & The Meditation Room P/L
|0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:03 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org