I run AIDE as a cron job every night. Following this I run aideinit immediately afterwards. Recently a few files have been shown to be changed eg:
Output of the daily AIDE run (40 lines): decode_base64: Illegal character: $ AIDE found differences between database and filesystem!! Start timestamp: 2007-08-10 02:25:06 Summary: Total number of files: 53673 Added files: 0 Removed files: 0 Changed files: 3 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /usr/share/consolefonts/lat4a-12.psf.gz changed: /usr/lib/libX11.so.6.2.0 changed: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /usr/share/consolefonts/lat4a-12.psf.gz MD5 : /p/oVigAdBjBoZa9yIO/Fg== , iC7gCtiCl4yVKGf/S1A3Ug== SHA1 : kmkGQxwAZG4B0zCZJA/jka+Fzho= , uDmmdRBLXFLYX9jKU0OJL9yARZE= RMD160 : UNFzmstcv3ZuMr9Xq3pY8lQMP+I= , 7tG3/Ekz/e+GJW+fnD8vAWgql5s= TIGER : OsCs3Do0/sLVplB02C75M8pys3rR7cLg , 0aWYAnGa89UfdimYio09fw0T+EEDheId CRC32 : AFRX8A== , IDEFJA== HAVAL : dzU0B0GdL++56RG9KoI8WCLmQW03yl3N , amtXSn63yWMdIxgDPAPmrIzEc7tZrm23 GOST : zwQ2tUzkFTpqNacd6uF6mHOqUfLUydZy , /q7tZ/y2zIlOd/APiTV5GDR8gX+ldnif WHIRLPOOL: +haTjLS201qdypaIwp4Kn9b3eojAS9c0 , Iw1MgbD9ZfLAUEsf2+r9lHDVf8hpxyCQ File: /usr/lib/libX11.so.6.2.0 GOST : 1Yjkol47W/0EsdSmgfNhU6DttUiuYcBA , jiIOacTb7tFjPj1I2grjGkCCRmEghQV+ WHIRLPOOL: 1yH1LtLZ+Zp0yphEjjM+6THEr6nrDWgx , 6CDM6ItZaQbZb9OdXWbd3G88kpKWMCtx File: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h MD5 : <NONE> , AT0P6OdbpDd+BQyNFsNgIg== End of AIDE output. The check was done against /var/lib/aide/aide.db with the following characteristics: Size : 18068976 Bcount : 35330 Mtime : 2007-08-09 02:59:38 Ctime : 2007-08-09 02:59:38 Inode : 32024 MD5 : QJ0zo/uID+RwouCLhTf+pA== SHA1 : s7B1b4MnVu1YKx4XbOr9GdYO2Ho= RMD160 : EmxvI56znAwPl7M5shIsCl3kfiE= TIGER : FTLEntv2L0c0Wv9pqu+NvZYKIBy1WFD/ CRC32 : NuiKDQ== HAVAL : awsvTBQYW90hgY/jjt8RBr7w4IqFFgBI GOST : 8T8EUBNsxuLrzfrszXIRVdm96RWkMbIN The AIDE run created a new database /var/lib/aide/aide.db.new with the following characteristics: Size : 18068976 Bcount : 35330 Mtime : 2007-08-10 02:43:05 Ctime : 2007-08-10 02:43:05 Inode : 36848 MD5 : 72sEnikus+pND8VspZbR0A== SHA1 : scWoe+W/FGh5IhUoHc8PprSHqtc= RMD160 : 4d8UAri3GNAKBLby0kS7fek7ijQ= TIGER : ny/XRnxDlLpqlqMLwQiUs3YTSeAY8kq1 CRC32 : VhUJKg== HAVAL : wWrV2igKLtkUSrZqYpv+G7PfqMVE3+Jq GOST : yXF83kq6nBY05lZQHUf1KvAwYsVI4RH9 End of AIDE daily cron job at at 2007-08-10 02:43, run time 1107 seconds [end of report] On other days a few other files have changed on other days: changed: /usr/lib/apache2/modules/libphp5.so File: /usr/lib/apache2/modules/libphp5.so MD5 : ctbc/CusZAwmkkltfYhgLw== , FWW8EENGtip+/QNwPuoZcw== SHA1 : kPjqUsToFQXReMmGGhRkKB5uwJc= , /5GP8vvTlTdvjSQCeJBjMzP+Opc= RMD160 : gANqqjqYFrOwtjn9Ie0jILPOPJk= , aDU+KCXXJvg4Uvszq141L1O/6Gc= TIGER : owsAMGW35nIC5qIXgW7RjtSjI5/itGW9 , 1AoMRYu8MveHRhisABSGezDLQFYKkYqp HAVAL : ru1SKQ3VRMjDF7908BP9FgqIxufN+LJg , 6LjpJyj0X4kwi0S2GUZyebtaXleNlllr GOST : jus1jZFIkTpSyIQsQUC8PBQhqlMtAdNe , zIBXSWlqcIkc69LqXhHy8CN+aXvYqTXb WHIRLPOOL: omJs7OVwE9Oy8r1vscKWB5fLbbsZ23PO , XNsuTuDqq6K7RnseFCz+WWQVj3tY1lof changed: /usr/sbin/mysqlmanager File: /usr/sbin/mysqlmanager GOST : 8m8HiTpQjJXxB9uwSxnB3DNexayhpKC+ , j87DrLHc4vONNMyFsR1xYLpf9k8S3b7d WHIRLPOOL: t+sTOvUDxxlGeUBX10tFc/GTaCkUMtCc , AaoGBMvaDqrzfQgqEQvGryyoV4tjJfUu Additionally, several files in /var/mail have been reported as changed. Because I use courier-imap and maildirs, these don't usually change. I have booted my PC into a "rescue" disk and have run fsck /dev/hda1 etc with no errors reported. I downloaded chkrootkit from the net and ran that from a chroot using this "rescue" disk, and no problems were reported. There does not appear to be anything suspicious in the logs. Usually AIDE does not report any files on my system have changed. Could the line "decode_base64: Illegal character: $" be relevant (at the top of the first report)? Does anybody have any idea what's happening? I have not altered any of these files or upgraded or installed any software during this time. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
