[CentOS] Changes to inodes discovered by aide

Tony Molloy tony.molloy at ul.ie
Fri Sep 28 04:31:19 EDT 2012


On Friday 28 September 2012 03:03:31 Jobst Schmalenbach wrote:
> Hi.
> 
> On one of my servers aide just reported inode changes to a large
>  bunch of files in a variety of directories, e.g. /usr/bin,
>  /usr/sbin etc. This machine sits behind a couple of firewalls and
>  it would be hard to get to.
> 
> The day before I updated "clam*" and updated the aide database
>  right after that:
> 
>   -rw-------  1 root root 7407412 Sep 26 10:58 aide.db.gz
> 
> 
> The problem was that the changes were made when no-one was in the
>  office, here are a few:
> 
>    Directory: /usr/sbin
>      Mtime    : 2012-09-26 10:55:15              , 2012-09-27
>  06:36:42 Ctime    : 2012-09-26 10:55:15              , 2012-09-27
>  06:36:42 File: /usr/sbin/wpa_supplicant
>      Ctime    : 2012-09-07 06:39:44              , 2012-09-27
>  06:36:40 Inode    : 2490595                          , 2490536 MD5
>       : IVNJESmXwIG9XY0MowL3CA==         , DUQMpFMsKqlZgjOmJIp3OQ==
>  RMD160   : 4xuWhqqliTLM5Jx6zAvQ9f1PY1c=     ,
>  AlSPQGiVe+/T8YdHDSIypI904kA= SHA256   :
>  OaUWNIGUS9AhXEjV3p8Cg4TeIEjuQ/tu ,
>  z1c9XCKVyjDzDuN7t32B+sbj6nil90TK File: /usr/sbin/clamav-milter
>      Size     : 202453                           , 206637
>      Ctime    : 2012-09-26 10:55:15              , 2012-09-27
>  06:36:37 Inode    : 2490507                          , 2490625 MD5
>       : HoONWy9q+qbRzHtlTeR6Wg==         , klWTxNFmL8MEAQmIPwvHxg==
>  RMD160   : lfa72Vrh6Q2DWjf+UIxREAK4V1Y=     ,
>  MPbEoKH/ws3aWA+sBuycRvU9DP0= SHA256   :
>  aFRvKcA999IPRFJ2qByu8aKB6QmHpW5i ,
>  u0oTtBkHjchhlY8AIejOfKPoJRencpmK
> 
> 
> Yum does not report anything (last 4 lines os yum.log)
> 
>    Sep 21 10:40:11 Installed: ghostscript-fonts-5.50-13.1.1.noarch
>    Sep 26 10:55:14 Updated: clamav-0.97.6-1.el5.rf.x86_64
>    Sep 26 10:55:15 Updated: clamd-0.97.6-1.el5.rf.x86_64
>    Sep 26 10:55:15 Updated: clamav-milter-0.97.6-1.el5.rf.x86_64
> 
> I ran (a fresh install) of rkhunter, did not find a thing ...
> 
> Is it possible that a change to one file sets of a domino effect of
>  indode changes?
> 
> 
> thanks
> Jobst
> 

Just a thought. I run tripwire, planning to switch to aide, and 
occasionally see the same. Lots of changes reported reported in /bin 
type directories. In my case it's caused by a run of prelink updating 
lots of files in /bin.

Tony


More information about the CentOS mailing list