[CentOS] Changes to inodes discovered by aide
Tony Molloy
tony.molloy at ul.ie
Fri Sep 28 08:31:19 UTC 2012
On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
> Hi.
>
> On one of my servers aide just reported inode changes to a large
> bunch of files in a variety of directories, e.g. /usr/bin,
> /usr/sbin etc. This machine sits behind a couple of firewalls and
> it would be hard to get to.
>
> The day before I updated "clam*" and updated the aide database
> right after that:
>
> -rw------- 1 root root 7407412 Sep 26 10:58 aide.db.gz
>
>
> The problem was that the changes were made when no-one was in the
> office, here are a few:
>
> Directory: /usr/sbin
> Mtime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:42 Ctime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:42 File: /usr/sbin/wpa_supplicant
> Ctime : 2012-09-07 06:39:44 , 2012-09-27
> 06:36:40 Inode : 2490595 , 2490536 MD5
> : IVNJESmXwIG9XY0MowL3CA== , DUQMpFMsKqlZgjOmJIp3OQ==
> RMD160 : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c= ,
> AlSPQGiVe+/T8YdHDSIypI904kA= SHA256 :
> OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
> z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
> Size : 202453 , 206637
> Ctime : 2012-09-26 10:55:15 , 2012-09-27
> 06:36:37 Inode : 2490507 , 2490625 MD5
> : HoONWy9q+qbRzHtlTeR6Wg== , klWTxNFmL8MEAQmIPwvHxg==
> RMD160 : lfa72Vrh6Q2DWjf+UIxREAK4V1Y= ,
> MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256 :
> aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
> u0oTtBkHjchhlY8AIejOfKPoJRencpmK
>
>
> Yum does not report anything (last 4 lines os yum.log)
>
> Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
> Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
> Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
> Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
>
> I ran (a fresh install) of rkhunter, did not find a thing ...
>
> Is it possible that a change to one file sets of a domino effect of
> indode changes?
>
>
> thanks
> Jobst
>
Just a thought. I run tripwire, planning to switch to aide, and
occasionally see the same. Lots of changes reported reported in /bin
type directories. In my case it's caused by a run of prelink updating
lots of files in /bin.
Tony
More information about the CentOS
mailing list