AIDE warnings following kernel upgrade
Hi,
I'm writing regarding some strange behaviour on a machine of mine.
The machine:
Debian stable, previously running Debian sources 2.4.18, just upgraded
to a grsecurity-patched vanilla 2.4.27. Apache1.3, Postfix, Mailman.
Fairly typical setup.
What happened:
As I said, I upgraded from the Debian sources (they appear to have a
handful of local DoS and priv-escalation vulnerabilities that have gone
unpatched) to 2.4.27 with GRSecurity patches applied.
After the upgrade, AIDE, which runs on a nightly cron, warns me that
nearly all files have been changed (contents of /lib/modules/2.4.18/,
which makes little sense, /bin/bash, /usr/bin/perl, /usr/lib/apt, files
in /var, /lib, /bin, /usr/local, you name it). The change appears to be
minor changes in the bcount (e.g. File: /bin/bash Bcount : 1001, 1000).
So obviously I'm worried about the possibility of an intrusion. This
seems a bit odd, however; while I don't trust the output of chkrootkit
(which doesn't find anything), I have to wonder about the conjunction
between this and the kernel upgrade. Is it likely that somebody loaded
something malicious into my boot loader (GRUB) so that when I rebooted
(first time in a few weeks), something nasty happened? If so, why would
so many files be changed (I wouldn't really expect someone to trojan
/usr/lib/libfakeroot...)? That makes it a bit obvious. Or is it possible
that somebody altered my sources so that when I got around to compiling
and upgrading, I loaded a trojaned version?
Further, is it possible that these restrictive GRSecurity options, or
simply the newer kernel, might result in these files failing their checks?
I'll admit, I'm trying to find reassurance that I haven't been rooted.
Rebuilding this machine will be a pain. Any ideas?
Thanks.
Reply to: