Michael,
This is not related to your AIDE question, but I too experienced a
similar situation not too long ago. A client's box was compromised
using an outdated php CMS system running custom php add-on. We did
not have the option to wait for a fix and needed to bring the server
back online quickly.
I suspected the compromise took place via some file which was either
uploaded to the tmp directory or upload directory and then executed
via some flaw in php code (possibly sql injection). In addition to
hardening the new LAMP stack, I mapped the tmp and upload directories
to a filesystem mapped with nodev,nosuid,noexec options.
We are still waiting for a complete fix for the php code, but none in
sight :-) In the mean time, AIDE continues to provide some peace of
mind :-)
Good luck,
Vijay
2011/6/21 Michael Chesterton <che...@chesterton.id.au>:
> Hey,
> I took over admin of a box that has been compromised via php web apps. I'm
> working towards a reinstall, but for now I've installed aide (amongst other
> things), and it has picked up some files being added to a php upload
> directory. These files appear at the top of the report in the summary added
> files section, but not at the bottom of the report in the detailed
> information about changes section. Any ideas why that might be?
> _______________________________________________
> Aide mailing list
> Aide@cs.tut.fi
> https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
_______________________________________________
Aide mailing list
Aide@cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide
