Re: [CentOS] Changes to inodes discovered by aide
Hi Correct, looking at the log of prelink.full and prelink.quick the times match the inode changes using aide -c. thanks Jobst On Fri, Sep 28, 2012 at 09:31:19AM +0100, Tony Molloy (tony.mol...@ul.ie) wrote: On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote: Hi. On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to. The day before I updated clam* and updated the aide database right after that: -rw--- 1 root root 7407412 Sep 26 10:58 aide.db.gz The problem was that the changes were made when no-one was in the office, here are a few: Directory: /usr/sbin Mtime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 File: /usr/sbin/wpa_supplicant Ctime: 2012-09-07 06:39:44 , 2012-09-27 06:36:40 Inode: 2490595 , 2490536 MD5 : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ== RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= , AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 : OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu , z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter Size : 202453 , 206637 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:37 Inode: 2490507 , 2490625 MD5 : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg== RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= , MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 : aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i , u0oTtBkHjchhlY8AIejOfKPoJRencpmK Yum does not report anything (last 4 lines os yum.log) Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64 I ran (a fresh install) of rkhunter, did not find a thing ... Is it possible that a change to one file sets of a domino effect of indode changes? thanks Jobst Just a thought. I run tripwire, planning to switch to aide, and occasionally see the same. Lots of changes reported reported in /bin type directories. In my case it's caused by a run of prelink updating lots of files in /bin. Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Though the pen IS mightier than the sword, the sword is mightier at any given moment. | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Changes to inodes discovered by aide
On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote: Hi. On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to. The day before I updated clam* and updated the aide database right after that: -rw--- 1 root root 7407412 Sep 26 10:58 aide.db.gz The problem was that the changes were made when no-one was in the office, here are a few: Directory: /usr/sbin Mtime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 File: /usr/sbin/wpa_supplicant Ctime: 2012-09-07 06:39:44 , 2012-09-27 06:36:40 Inode: 2490595 , 2490536 MD5 : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ== RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= , AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 : OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu , z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter Size : 202453 , 206637 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:37 Inode: 2490507 , 2490625 MD5 : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg== RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= , MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 : aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i , u0oTtBkHjchhlY8AIejOfKPoJRencpmK Yum does not report anything (last 4 lines os yum.log) Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64 I ran (a fresh install) of rkhunter, did not find a thing ... Is it possible that a change to one file sets of a domino effect of indode changes? thanks Jobst Just a thought. I run tripwire, planning to switch to aide, and occasionally see the same. Lots of changes reported reported in /bin type directories. In my case it's caused by a run of prelink updating lots of files in /bin. Tony ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Changes to inodes discovered by aide
Hi. On one of my servers aide just reported inode changes to a large bunch of files in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits behind a couple of firewalls and it would be hard to get to. The day before I updated clam* and updated the aide database right after that: -rw--- 1 root root 7407412 Sep 26 10:58 aide.db.gz The problem was that the changes were made when no-one was in the office, here are a few: Directory: /usr/sbin Mtime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:42 File: /usr/sbin/wpa_supplicant Ctime: 2012-09-07 06:39:44 , 2012-09-27 06:36:40 Inode: 2490595 , 2490536 MD5 : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ== RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= , AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 : OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu , z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter Size : 202453 , 206637 Ctime: 2012-09-26 10:55:15 , 2012-09-27 06:36:37 Inode: 2490507 , 2490625 MD5 : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg== RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= , MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 : aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i , u0oTtBkHjchhlY8AIejOfKPoJRencpmK Yum does not report anything (last 4 lines os yum.log) Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64 Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64 I ran (a fresh install) of rkhunter, did not find a thing ... Is it possible that a change to one file sets of a domino effect of indode changes? thanks Jobst -- Diplomacy: The art of saying, Nice Doggy, until you can find a stick. | |0| | Jobst Schmalenbach, jo...@barrett.com.au, General Manager | | |0| Barrett Consulting Group P/L The Meditation Room P/L |0|0|0| +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos