Re: strange AIDE reports

To: debian-security@lists.debian.org
Subject: Re: strange AIDE reports
From: vegard@engen.priv.no (Vegard Engen)
Date: Mon, 24 Sep 2001 13:15:08 +0200
Message-id: <[🔎] 20010924131508.G14688@engen.priv.no>
In-reply-to: <[🔎] Pine.SOL.4.30.0109241358080.24547-100000@alya.utu.fi>; from juolja@utu.fi on Mon, Sep 24, 2001 at 02:02:49PM +0300
References: <[🔎] Pine.SOL.4.30.0109241358080.24547-100000@alya.utu.fi>

On Mon, Sep 24, 2001 at 02:02:49PM +0300, Juha Jäykkä wrote:
>   I keep receiving strange reports from AIDE. The number of changed
> files increases monotonically daily and the affair started immediately
> after installation, so I doubt there has been a break-in - unless
> someone managed to spoof my DNS queries or hijack my connections to
> ftp.fi.debian.org. Aside from the understandable (are they, really?)
> changes in Ctimes of /dev/xconsole and /dev/tty*, I get the following
> (for example):
> File: /usr/bin/splay
> MD5: old = nuNALnPFG98QSxxAeJ2rZw== , new = hBi7I+KhEOWW5mfSciXJlg==
> SHA1: old = 3lpox5dX50hvj3p6z0nyZ/cshFg= , new = mFPQd21+i8fF2LQJVZLitJZFx2U=
> 
> File: /usr/lib/Amaya/applis/bin/amaya
> MD5: old = IQwcW65xdJIoC3/pAh6P8A== , new = 2HG/njXLRrF1GTp7Rd3EVw==
> 
>   The software versions are (all are unstable/i386):

[snip] rest.

>   Any ideas except a break-in?

Well - you say you're using unstable. Are you updating your system? There are
a lot of changes in unstable. After a package replacement, binary files will
of course have changed.
-- 
- Vegard Engen, member of the first RFC1149 implementation team.

Reply to:

Follow-Ups:
- Re: strange AIDE reports
  - From: Juha Jäykkä <juolja@utu.fi>

References:
- strange AIDE reports
  - From: Juha Jäykkä <juolja@utu.fi>

Prev by Date: strange AIDE reports
Next by Date: Re: strange AIDE reports
Previous by thread: strange AIDE reports
Next by thread: Re: strange AIDE reports
Index(es):
- Date
- Thread