AIDE reports files as changed

To: debian-user@lists.debian.org
Subject: AIDE reports files as changed
From: "Robert S" <robert.spam.me.senseless@gmail.com>
Date: Mon, 13 Aug 2007 19:39:17 +1000
Message-id: <[🔎] f9p8s3$pi8$1@sea.gmane.org>

I run AIDE as a cron job every night.  Following this I run aideinit 
immediately afterwards.  Recently a few files have been shown to be changed 
eg:

Output of the daily AIDE run (40 lines):
decode_base64: Illegal character: $
AIDE found differences between database and filesystem!!
Start timestamp: 2007-08-10 02:25:06

Summary:
  Total number of files: 53673
  Added files: 0
  Removed files: 0
  Changed files: 3


---------------------------------------------------
Changed files:
---------------------------------------------------

changed: /usr/share/consolefonts/lat4a-12.psf.gz
changed: /usr/lib/libX11.so.6.2.0
changed: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h

--------------------------------------------------
Detailed information about changes:
---------------------------------------------------


File: /usr/share/consolefonts/lat4a-12.psf.gz
  MD5      : /p/oVigAdBjBoZa9yIO/Fg==         , iC7gCtiCl4yVKGf/S1A3Ug==
  SHA1     : kmkGQxwAZG4B0zCZJA/jka+Fzho=     , uDmmdRBLXFLYX9jKU0OJL9yARZE=
  RMD160   : UNFzmstcv3ZuMr9Xq3pY8lQMP+I=     , 7tG3/Ekz/e+GJW+fnD8vAWgql5s=
  TIGER    : OsCs3Do0/sLVplB02C75M8pys3rR7cLg , 
0aWYAnGa89UfdimYio09fw0T+EEDheId
  CRC32    : AFRX8A==                         , IDEFJA==
  HAVAL    : dzU0B0GdL++56RG9KoI8WCLmQW03yl3N , 
amtXSn63yWMdIxgDPAPmrIzEc7tZrm23
  GOST     : zwQ2tUzkFTpqNacd6uF6mHOqUfLUydZy , 
/q7tZ/y2zIlOd/APiTV5GDR8gX+ldnif
  WHIRLPOOL: +haTjLS201qdypaIwp4Kn9b3eojAS9c0 , 
Iw1MgbD9ZfLAUEsf2+r9lHDVf8hpxyCQ

File: /usr/lib/libX11.so.6.2.0
  GOST     : 1Yjkol47W/0EsdSmgfNhU6DttUiuYcBA , 
jiIOacTb7tFjPj1I2grjGkCCRmEghQV+
  WHIRLPOOL: 1yH1LtLZ+Zp0yphEjjM+6THEr6nrDWgx , 
6CDM6ItZaQbZb9OdXWbd3G88kpKWMCtx

File: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h
  MD5      : <NONE>                           , AT0P6OdbpDd+BQyNFsNgIg==

End of AIDE output.

The check was done against /var/lib/aide/aide.db with the following 
characteristics:
  Size     : 18068976
  Bcount   : 35330
  Mtime    : 2007-08-09 02:59:38
  Ctime    : 2007-08-09 02:59:38
  Inode    : 32024
  MD5      : QJ0zo/uID+RwouCLhTf+pA==
  SHA1     : s7B1b4MnVu1YKx4XbOr9GdYO2Ho=
  RMD160   : EmxvI56znAwPl7M5shIsCl3kfiE=
  TIGER    : FTLEntv2L0c0Wv9pqu+NvZYKIBy1WFD/
  CRC32    : NuiKDQ==
  HAVAL    : awsvTBQYW90hgY/jjt8RBr7w4IqFFgBI
  GOST     : 8T8EUBNsxuLrzfrszXIRVdm96RWkMbIN

The AIDE run created a new database /var/lib/aide/aide.db.new with the 
following characteristics:
  Size     : 18068976
  Bcount   : 35330
  Mtime    : 2007-08-10 02:43:05
  Ctime    : 2007-08-10 02:43:05
  Inode    : 36848
  MD5      : 72sEnikus+pND8VspZbR0A==
  SHA1     : scWoe+W/FGh5IhUoHc8PprSHqtc=
  RMD160   : 4d8UAri3GNAKBLby0kS7fek7ijQ=
  TIGER    : ny/XRnxDlLpqlqMLwQiUs3YTSeAY8kq1
  CRC32    : VhUJKg==
  HAVAL    : wWrV2igKLtkUSrZqYpv+G7PfqMVE3+Jq
  GOST     : yXF83kq6nBY05lZQHUf1KvAwYsVI4RH9

End of AIDE daily cron job at at 2007-08-10 02:43, run time 1107 seconds

[end of report]
On other days a few other files have changed on other days:

changed: /usr/lib/apache2/modules/libphp5.so
File: /usr/lib/apache2/modules/libphp5.so
  MD5      : ctbc/CusZAwmkkltfYhgLw==         , FWW8EENGtip+/QNwPuoZcw==
  SHA1     : kPjqUsToFQXReMmGGhRkKB5uwJc=     , /5GP8vvTlTdvjSQCeJBjMzP+Opc=
  RMD160   : gANqqjqYFrOwtjn9Ie0jILPOPJk=     , aDU+KCXXJvg4Uvszq141L1O/6Gc=
  TIGER    : owsAMGW35nIC5qIXgW7RjtSjI5/itGW9 , 
1AoMRYu8MveHRhisABSGezDLQFYKkYqp
  HAVAL    : ru1SKQ3VRMjDF7908BP9FgqIxufN+LJg , 
6LjpJyj0X4kwi0S2GUZyebtaXleNlllr
  GOST     : jus1jZFIkTpSyIQsQUC8PBQhqlMtAdNe , 
zIBXSWlqcIkc69LqXhHy8CN+aXvYqTXb
  WHIRLPOOL: omJs7OVwE9Oy8r1vscKWB5fLbbsZ23PO , 
XNsuTuDqq6K7RnseFCz+WWQVj3tY1lof

changed: /usr/sbin/mysqlmanager
File: /usr/sbin/mysqlmanager
  GOST     : 8m8HiTpQjJXxB9uwSxnB3DNexayhpKC+ , 
j87DrLHc4vONNMyFsR1xYLpf9k8S3b7d
  WHIRLPOOL: t+sTOvUDxxlGeUBX10tFc/GTaCkUMtCc , 
AaoGBMvaDqrzfQgqEQvGryyoV4tjJfUu

Additionally, several files in /var/mail have been reported as changed. 
Because I use courier-imap and maildirs, these don't usually change.

I have booted my PC into a "rescue" disk and have run fsck /dev/hda1 etc 
with no errors reported.  I downloaded chkrootkit from the net and ran that 
from a chroot using this "rescue" disk, and no problems were reported. 
There does not appear to be anything suspicious in the logs.  Usually AIDE 
does not report any files on my system have changed.

Could the line "decode_base64: Illegal character: $" be relevant (at the top 
of the first report)?

Does anybody have any idea what's happening?  I have not altered any of 
these files or upgraded or installed any software during this time.

Reply to:

Follow-Ups:
- Re: AIDE reports files as changed
  - From: Michelle Konzack <linux4michelle@freenet.de>

Prev by Date: Re: Build a NAS/file server for mirror existent backup
Next by Date: Re: CD/DVD Burner Configuration
Previous by thread: Re: to lvm or not to lvm?
Next by thread: Re: AIDE reports files as changed
Index(es):
- Date
- Thread