I'm new to aide and tripwire. I'm currently running aide on one of my systems and in the report I got today, the following entries showed up and is alarming me. I don't recall running "apt-get update && apt-get upgrade" on this woody system. I'm used to seeing the log files and tty's changing, which is normal from what I've read.
changed:/usr/bin changed:/usr/bin/aide changed:/usr/sbin File: /usr/bin Mtime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22 Ctime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22 File: /usr/bin/aide MD5: old = Ou+SgZdGdcx4E3VPzKf2Fw== , new = Ys9Icpz79CrH9RxveA6Fhg== SHA1: old = 4S4enqdjjNR/JgOnKDmQ8y+KU8s= , new = fusOGPoAMUIwimDGfSIXFhezUKs= File: /usr/sbin Mtime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22 Ctime: old = 2001-09-26 10:55:15, new = 2001-09-28 22:22:22 I'm thinking some kind of root-kit, but why would this show up? If done properly, the attacker would run --init with their new aide binary to replace the database. Anyway, I ran "aide --check" using a copy of the original database and it comes up with the same result as above. I also run snort, but in the recent flurry of "IIS attacks", it's hard to dig through the huge log files for other attacks that might be caught. If anyone has any idea's on this, I'd really appreciate it. thanks, jc -- Jeff Coppock Nortel Networks Systems Engineer http://nortelnetworks.com
