Re: strange AIDE reports
> Of course, but every time I run apt, I run aide --update, too, and > move the aide.db.new to aide.db. Besides this started right after > installation - before installing anything new. Silly to reply to myself, but I had a series of strange crashes: kswapd went defunct and after that pretty much nothing worked, as might be guessed, including 'shutdown -r now'. Did not have SysRQ build into kernel... So, I presumed that these might have something to do with my setting some drive parameters with hdparm (my drive insists on starting up in pio4 mode though both the chipset and the drive can do udma2 - seagate claims the drive can do udma4, but I now doubt it since IBM claims its ata100-drives can do only udma4 and this old drive certainly is not ata100). So, I reduced my drive setting to udma2. This stopped the crashes, but did not help aide: I run, sequentially: aide --init mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check and got: Changed files: changed:/usr/bin/ddd changed:/usr/sbin changed:/usr/lib changed:/usr/lib/netscape/477/communicator/communicator-smotif.real changed:/usr/lib/librecode.so.0.0.0 changed:/usr/lib/mozilla/components/libgkcontent.so changed:/usr/lib/mozilla/components/libmsgimap.so I guarantee, mozilla was not running, netscape was not running and lsof (right after aide --check) did not report librecode.so.0.0.0 as open. I would be worried if aide reported some sensitive files (ddd or /usr/sbin could be regarded sensitive) as changed, but these files seem totally random! After this, I reran 'aide --check' and got a segfault. Repeat as many times as I would, all get segfaulted... Aide broken? Aide version is sid's: 0.7-10. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: strange AIDE reports
> Of course, but every time I run apt, I run aide --update, too, and > move the aide.db.new to aide.db. Besides this started right after > installation - before installing anything new. Silly to reply to myself, but I had a series of strange crashes: kswapd went defunct and after that pretty much nothing worked, as might be guessed, including 'shutdown -r now'. Did not have SysRQ build into kernel... So, I presumed that these might have something to do with my setting some drive parameters with hdparm (my drive insists on starting up in pio4 mode though both the chipset and the drive can do udma2 - seagate claims the drive can do udma4, but I now doubt it since IBM claims its ata100-drives can do only udma4 and this old drive certainly is not ata100). So, I reduced my drive setting to udma2. This stopped the crashes, but did not help aide: I run, sequentially: aide --init mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db aide --check and got: Changed files: changed:/usr/bin/ddd changed:/usr/sbin changed:/usr/lib changed:/usr/lib/netscape/477/communicator/communicator-smotif.real changed:/usr/lib/librecode.so.0.0.0 changed:/usr/lib/mozilla/components/libgkcontent.so changed:/usr/lib/mozilla/components/libmsgimap.so I guarantee, mozilla was not running, netscape was not running and lsof (right after aide --check) did not report librecode.so.0.0.0 as open. I would be worried if aide reported some sensitive files (ddd or /usr/sbin could be regarded sensitive) as changed, but these files seem totally random! After this, I reran 'aide --check' and got a segfault. Repeat as many times as I would, all get segfaulted... Aide broken? Aide version is sid's: 0.7-10. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange AIDE reports
> > Any ideas except a break-in? > Well - you say you're using unstable. Are you updating your system? There are > a lot of changes in unstable. After a package replacement, binary files will > of course have changed. Of course, but every time I run apt, I run aide --update, too, and move the aide.db.new to aide.db. Besides this started right after installation - before installing anything new. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: strange AIDE reports
On Mon, Sep 24, 2001 at 02:02:49PM +0300, Juha Jäykkä wrote: > I keep receiving strange reports from AIDE. The number of changed > files increases monotonically daily and the affair started immediately > after installation, so I doubt there has been a break-in - unless > someone managed to spoof my DNS queries or hijack my connections to > ftp.fi.debian.org. Aside from the understandable (are they, really?) > changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following > (for example): > File: /usr/bin/splay > MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== > SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= > > File: /usr/lib/Amaya/applis/bin/amaya > MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== > > The software versions are (all are unstable/i386): [snip] rest. > Any ideas except a break-in? Well - you say you're using unstable. Are you updating your system? There are a lot of changes in unstable. After a package replacement, binary files will of course have changed. -- - Vegard Engen, member of the first RFC1149 implementation team.
strange AIDE reports
I keep receiving strange reports from AIDE. The number of changed files increases monotonically daily and the affair started immediately after installation, so I doubt there has been a break-in - unless someone managed to spoof my DNS queries or hijack my connections to ftp.fi.debian.org. Aside from the understandable (are they, really?) changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following (for example): File: /usr/bin/splay MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= File: /usr/lib/Amaya/applis/bin/amaya MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== The software versions are (all are unstable/i386): Package: aide Version: 0.7-10 Package: splay Version: 0.9.5.1-3 Package: amaya Version: 5.1-1 Any ideas except a break-in? -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: strange AIDE reports
> > Any ideas except a break-in? > Well - you say you're using unstable. Are you updating your system? There are > a lot of changes in unstable. After a package replacement, binary files will > of course have changed. Of course, but every time I run apt, I run aide --update, too, and move the aide.db.new to aide.db. Besides this started right after installation - before installing anything new. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange AIDE reports
On Mon, Sep 24, 2001 at 02:02:49PM +0300, Juha Jäykkä wrote: > I keep receiving strange reports from AIDE. The number of changed > files increases monotonically daily and the affair started immediately > after installation, so I doubt there has been a break-in - unless > someone managed to spoof my DNS queries or hijack my connections to > ftp.fi.debian.org. Aside from the understandable (are they, really?) > changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following > (for example): > File: /usr/bin/splay > MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== > SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= > > File: /usr/lib/Amaya/applis/bin/amaya > MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== > > The software versions are (all are unstable/i386): [snip] rest. > Any ideas except a break-in? Well - you say you're using unstable. Are you updating your system? There are a lot of changes in unstable. After a package replacement, binary files will of course have changed. -- - Vegard Engen, member of the first RFC1149 implementation team. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
strange AIDE reports
I keep receiving strange reports from AIDE. The number of changed files increases monotonically daily and the affair started immediately after installation, so I doubt there has been a break-in - unless someone managed to spoof my DNS queries or hijack my connections to ftp.fi.debian.org. Aside from the understandable (are they, really?) changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following (for example): File: /usr/bin/splay MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg== SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U= File: /usr/lib/Amaya/applis/bin/amaya MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw== The software versions are (all are unstable/i386): Package: aide Version: 0.7-10 Package: splay Version: 0.9.5.1-3 Package: amaya Version: 5.1-1 Any ideas except a break-in? -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
