AIDE reports files as changed
I run AIDE as a cron job every night. Following this I run aideinit
immediately afterwards. Recently a few files have been shown to be changed
eg:
Output of the daily AIDE run (40 lines):
decode_base64: Illegal character: $
AIDE found differences between database and filesystem!!
Start timestamp: 2007-08-10 02:25:06
Summary:
Total number of files: 53673
Added files: 0
Removed files: 0
Changed files: 3
---------------------------------------------------
Changed files:
---------------------------------------------------
changed: /usr/share/consolefonts/lat4a-12.psf.gz
changed: /usr/lib/libX11.so.6.2.0
changed: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h
--------------------------------------------------
Detailed information about changes:
---------------------------------------------------
File: /usr/share/consolefonts/lat4a-12.psf.gz
MD5 : /p/oVigAdBjBoZa9yIO/Fg== , iC7gCtiCl4yVKGf/S1A3Ug==
SHA1 : kmkGQxwAZG4B0zCZJA/jka+Fzho= , uDmmdRBLXFLYX9jKU0OJL9yARZE=
RMD160 : UNFzmstcv3ZuMr9Xq3pY8lQMP+I= , 7tG3/Ekz/e+GJW+fnD8vAWgql5s=
TIGER : OsCs3Do0/sLVplB02C75M8pys3rR7cLg ,
0aWYAnGa89UfdimYio09fw0T+EEDheId
CRC32 : AFRX8A== , IDEFJA==
HAVAL : dzU0B0GdL++56RG9KoI8WCLmQW03yl3N ,
amtXSn63yWMdIxgDPAPmrIzEc7tZrm23
GOST : zwQ2tUzkFTpqNacd6uF6mHOqUfLUydZy ,
/q7tZ/y2zIlOd/APiTV5GDR8gX+ldnif
WHIRLPOOL: +haTjLS201qdypaIwp4Kn9b3eojAS9c0 ,
Iw1MgbD9ZfLAUEsf2+r9lHDVf8hpxyCQ
File: /usr/lib/libX11.so.6.2.0
GOST : 1Yjkol47W/0EsdSmgfNhU6DttUiuYcBA ,
jiIOacTb7tFjPj1I2grjGkCCRmEghQV+
WHIRLPOOL: 1yH1LtLZ+Zp0yphEjjM+6THEr6nrDWgx ,
6CDM6ItZaQbZb9OdXWbd3G88kpKWMCtx
File: /usr/include/linux/netfilter_ipv4/ipt_CONNMARK.h
MD5 : <NONE> , AT0P6OdbpDd+BQyNFsNgIg==
End of AIDE output.
The check was done against /var/lib/aide/aide.db with the following
characteristics:
Size : 18068976
Bcount : 35330
Mtime : 2007-08-09 02:59:38
Ctime : 2007-08-09 02:59:38
Inode : 32024
MD5 : QJ0zo/uID+RwouCLhTf+pA==
SHA1 : s7B1b4MnVu1YKx4XbOr9GdYO2Ho=
RMD160 : EmxvI56znAwPl7M5shIsCl3kfiE=
TIGER : FTLEntv2L0c0Wv9pqu+NvZYKIBy1WFD/
CRC32 : NuiKDQ==
HAVAL : awsvTBQYW90hgY/jjt8RBr7w4IqFFgBI
GOST : 8T8EUBNsxuLrzfrszXIRVdm96RWkMbIN
The AIDE run created a new database /var/lib/aide/aide.db.new with the
following characteristics:
Size : 18068976
Bcount : 35330
Mtime : 2007-08-10 02:43:05
Ctime : 2007-08-10 02:43:05
Inode : 36848
MD5 : 72sEnikus+pND8VspZbR0A==
SHA1 : scWoe+W/FGh5IhUoHc8PprSHqtc=
RMD160 : 4d8UAri3GNAKBLby0kS7fek7ijQ=
TIGER : ny/XRnxDlLpqlqMLwQiUs3YTSeAY8kq1
CRC32 : VhUJKg==
HAVAL : wWrV2igKLtkUSrZqYpv+G7PfqMVE3+Jq
GOST : yXF83kq6nBY05lZQHUf1KvAwYsVI4RH9
End of AIDE daily cron job at at 2007-08-10 02:43, run time 1107 seconds
[end of report]
On other days a few other files have changed on other days:
changed: /usr/lib/apache2/modules/libphp5.so
File: /usr/lib/apache2/modules/libphp5.so
MD5 : ctbc/CusZAwmkkltfYhgLw== , FWW8EENGtip+/QNwPuoZcw==
SHA1 : kPjqUsToFQXReMmGGhRkKB5uwJc= , /5GP8vvTlTdvjSQCeJBjMzP+Opc=
RMD160 : gANqqjqYFrOwtjn9Ie0jILPOPJk= , aDU+KCXXJvg4Uvszq141L1O/6Gc=
TIGER : owsAMGW35nIC5qIXgW7RjtSjI5/itGW9 ,
1AoMRYu8MveHRhisABSGezDLQFYKkYqp
HAVAL : ru1SKQ3VRMjDF7908BP9FgqIxufN+LJg ,
6LjpJyj0X4kwi0S2GUZyebtaXleNlllr
GOST : jus1jZFIkTpSyIQsQUC8PBQhqlMtAdNe ,
zIBXSWlqcIkc69LqXhHy8CN+aXvYqTXb
WHIRLPOOL: omJs7OVwE9Oy8r1vscKWB5fLbbsZ23PO ,
XNsuTuDqq6K7RnseFCz+WWQVj3tY1lof
changed: /usr/sbin/mysqlmanager
File: /usr/sbin/mysqlmanager
GOST : 8m8HiTpQjJXxB9uwSxnB3DNexayhpKC+ ,
j87DrLHc4vONNMyFsR1xYLpf9k8S3b7d
WHIRLPOOL: t+sTOvUDxxlGeUBX10tFc/GTaCkUMtCc ,
AaoGBMvaDqrzfQgqEQvGryyoV4tjJfUu
Additionally, several files in /var/mail have been reported as changed.
Because I use courier-imap and maildirs, these don't usually change.
I have booted my PC into a "rescue" disk and have run fsck /dev/hda1 etc
with no errors reported. I downloaded chkrootkit from the net and ran that
from a chroot using this "rescue" disk, and no problems were reported.
There does not appear to be anything suspicious in the logs. Usually AIDE
does not report any files on my system have changed.
Could the line "decode_base64: Illegal character: $" be relevant (at the top
of the first report)?
Does anybody have any idea what's happening? I have not altered any of
these files or upgraded or installed any software during this time.
Reply to: