subject:"\[CentOS\] Changes to inodes discovered by aide"

Re: [CentOS] Changes to inodes discovered by aide

2012-09-30 Thread Jobst Schmalenbach

Hi

Correct, looking at the log of prelink.full and prelink.quick the
times match the inode changes using aide -c.

thanks
Jobst


On Fri, Sep 28, 2012 at 09:31:19AM +0100, Tony Molloy (tony.mol...@ul.ie) wrote:
 On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
  Hi.
  
  On one of my servers aide just reported inode changes to a large
   bunch of files in a variety of directories, e.g. /usr/bin,
   /usr/sbin etc. This machine sits behind a couple of firewalls and
   it would be hard to get to.
  
  The day before I updated clam* and updated the aide database
   right after that:
  
-rw---  1 root root 7407412 Sep 26 10:58 aide.db.gz
  
  
  The problem was that the changes were made when no-one was in the
   office, here are a few:
  
 Directory: /usr/sbin
   Mtime: 2012-09-26 10:55:15  , 2012-09-27
   06:36:42 Ctime: 2012-09-26 10:55:15  , 2012-09-27
   06:36:42 File: /usr/sbin/wpa_supplicant
   Ctime: 2012-09-07 06:39:44  , 2012-09-27
   06:36:40 Inode: 2490595  , 2490536 MD5
: IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
   RMD160   : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= ,
   AlSPQGiVe+/T8YdHDSIypI904kA= SHA256   :
   OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
   z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
   Size : 202453   , 206637
   Ctime: 2012-09-26 10:55:15  , 2012-09-27
   06:36:37 Inode: 2490507  , 2490625 MD5
: HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
   RMD160   : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= ,
   MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256   :
   aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
   u0oTtBkHjchhlY8AIejOfKPoJRencpmK
  
  
  Yum does not report anything (last 4 lines os yum.log)
  
 Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
 Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
 Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
 Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
  
  I ran (a fresh install) of rkhunter, did not find a thing ...
  
  Is it possible that a change to one file sets of a domino effect of
   indode changes?
  
  
  thanks
  Jobst
  
 
 Just a thought. I run tripwire, planning to switch to aide, and 
 occasionally see the same. Lots of changes reported reported in /bin 
 type directories. In my case it's caused by a run of prelink updating 
 lots of files in /bin.
 
 Tony
 ___
 CentOS mailing list
 CentOS@centos.org
 http://lists.centos.org/mailman/listinfo/centos

-- 
Though the pen IS mightier than the sword, the sword is mightier at any given 
moment.

  | |0| |   Jobst Schmalenbach, jo...@barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L  The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changes to inodes discovered by aide

2012-09-28 Thread Tony Molloy

On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
 Hi.
 
 On one of my servers aide just reported inode changes to a large
  bunch of files in a variety of directories, e.g. /usr/bin,
  /usr/sbin etc. This machine sits behind a couple of firewalls and
  it would be hard to get to.
 
 The day before I updated clam* and updated the aide database
  right after that:
 
   -rw---  1 root root 7407412 Sep 26 10:58 aide.db.gz
 
 
 The problem was that the changes were made when no-one was in the
  office, here are a few:
 
Directory: /usr/sbin
  Mtime: 2012-09-26 10:55:15  , 2012-09-27
  06:36:42 Ctime: 2012-09-26 10:55:15  , 2012-09-27
  06:36:42 File: /usr/sbin/wpa_supplicant
  Ctime: 2012-09-07 06:39:44  , 2012-09-27
  06:36:40 Inode: 2490595  , 2490536 MD5
   : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
  RMD160   : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= ,
  AlSPQGiVe+/T8YdHDSIypI904kA= SHA256   :
  OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
  z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
  Size : 202453   , 206637
  Ctime: 2012-09-26 10:55:15  , 2012-09-27
  06:36:37 Inode: 2490507  , 2490625 MD5
   : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
  RMD160   : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= ,
  MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256   :
  aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
  u0oTtBkHjchhlY8AIejOfKPoJRencpmK
 
 
 Yum does not report anything (last 4 lines os yum.log)
 
Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
 
 I ran (a fresh install) of rkhunter, did not find a thing ...
 
 Is it possible that a change to one file sets of a domino effect of
  indode changes?
 
 
 thanks
 Jobst
 

Just a thought. I run tripwire, planning to switch to aide, and 
occasionally see the same. Lots of changes reported reported in /bin 
type directories. In my case it's caused by a run of prelink updating 
lots of files in /bin.

Tony
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Changes to inodes discovered by aide

2012-09-27 Thread Jobst Schmalenbach

Hi.

On one of my servers aide just reported inode changes to a large bunch of files 
in a variety of directories, e.g. /usr/bin, /usr/sbin etc. This machine sits 
behind a couple of firewalls and it would be hard to get to.

The day before I updated clam* and updated the aide database right after that:

  -rw---  1 root root 7407412 Sep 26 10:58 aide.db.gz


The problem was that the changes were made when no-one was in the office, here 
are a few:

   Directory: /usr/sbin
 Mtime: 2012-09-26 10:55:15  , 2012-09-27 06:36:42
 Ctime: 2012-09-26 10:55:15  , 2012-09-27 06:36:42
   File: /usr/sbin/wpa_supplicant
 Ctime: 2012-09-07 06:39:44  , 2012-09-27 06:36:40
 Inode: 2490595  , 2490536
 MD5  : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
 RMD160   : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= , AlSPQGiVe+/T8YdHDSIypI904kA=
 SHA256   : OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu , 
z1c9XCKVyjDzDuN7t32B+sbj6nil90TK
   File: /usr/sbin/clamav-milter
 Size : 202453   , 206637
 Ctime: 2012-09-26 10:55:15  , 2012-09-27 06:36:37
 Inode: 2490507  , 2490625
 MD5  : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
 RMD160   : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= , MPbEoKH/ws3aWA+sBuycRvU9DP0=
 SHA256   : aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i , 
u0oTtBkHjchhlY8AIejOfKPoJRencpmK


Yum does not report anything (last 4 lines os yum.log)

   Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
   Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
   Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
   Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64

I ran (a fresh install) of rkhunter, did not find a thing ... 

Is it possible that a change to one file sets of a domino effect of indode 
changes?


thanks
Jobst




-- 
Diplomacy: The art of saying, Nice Doggy, until you can find a stick.

  | |0| |   Jobst Schmalenbach, jo...@barrett.com.au, General Manager
  | | |0|   Barrett Consulting Group P/L  The Meditation Room P/L
  |0|0|0|   +61 3 9532 7677, POBox 277, Caulfield South, 3162, Australia
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Changes to inodes discovered by aide

Re: [CentOS] Changes to inodes discovered by aide

[CentOS] Changes to inodes discovered by aide

3 matches

Site Navigation

Mail list logo

Footer information