|
|
|
google unix.com
|
|||||||
| Forums | Register | Forum Rules | Links | Albums | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
| Red Hat Red Hat is the world's leading open source technology solutions provider with offerings including Red Hat Enterprise Linux (RHEL), Fedora, open source applications, security and systems management, virtualization, and Services Oriented Architecture (SOA) solutions. |
More UNIX and Linux Forum Topics You Might Find Helpful
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| AIDE on AIX. Problem with compilation. | jess_t03 | UNIX and Linux Applications | 1 | 10-04-2009 05:48 AM |
| Customizing RHEL OS | shirsha | Red Hat | 4 | 06-29-2009 02:18 PM |
| xtrlock rpm RHEL | mgb | Red Hat | 0 | 04-02-2009 01:56 PM |
| Difference between RHEL 3 AND RHEL 4 | sakthi_13 | Red Hat | 2 | 09-11-2007 08:51 AM |
| Wonderful world of AIDE | siamhien | SUN Solaris | 0 | 01-24-2006 08:33 PM |
 |
Powered by 
|
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
|
|
10-05-2009
|
||||
|
||||
|
AIDE on RHEL
Hello to all, I have a small question about AIDE logs. I installed aide on RHEL : Code:
# yum install aide -y Ok, then run aide --init with default config file (/etc/aide.conf) I collect mail with statistic (Bash scripts with aide --check) AND SEEN THIS ! : Code:
AIDE found differences between database and filesystem!! Start timestamp: 2009-10-05 04:05:01 Summary: Total number of files: 62222 Added files: 0 Removed files: 0 Changed files: 53 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /etc/aliases.db changed: /etc/prelink.cache changed: /var/log/spooler.3 changed: /var/log/spooler.4 changed: /var/log/boot.log changed: /var/log/cron changed: /var/log/messages changed: /var/log/maillog.3 changed: /var/log/boot.log.4 changed: /var/log/boot.log.3 changed: /var/log/cron.2 changed: /var/log/maillog.2 changed: /var/log/cron.1 changed: /var/log/secure.4 changed: /var/log/rpmpkgs.3 changed: /var/log/secure.3 changed: /var/log/messages.3 changed: /var/log/secure.1 changed: /var/log/maillog.1 changed: /var/log/rpmpkgs.2 changed: /var/log/maillog changed: /var/log/spooler changed: /var/log/messages.1 changed: /var/log/cron.3 changed: /var/log/spooler.2 changed: /var/log/boot.log.1 changed: /var/log/maillog.4 changed: /var/log/messages.4 changed: /var/log/spooler.1 changed: /var/log/cron.4 changed: /var/log/rpmpkgs.1 changed: /var/log/boot.log.2 changed: /var/log/secure changed: /var/log/rpmpkgs.4 changed: /var/log/secure.2 changed: /var/log/messages.2 changed: /usr/local/stat/report changed: /usr/bin changed: /usr/bin/install changed: /usr/bin/vdir changed: /usr/bin/setfacl changed: /usr/bin/dir changed: /usr/bin/getfacl changed: /usr/bin/vim changed: /usr/bin/rsync changed: /usr/bin/chacl changed: /root/.bash_history changed: /bin changed: /bin/vi changed: /bin/cp changed: /bin/ls changed: /bin/tar changed: /bin/mv -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /etc/aliases.db Mtime : 2009-09-30 14:59:22 , 2009-10-04 04:08:32 Ctime : 2009-09-30 14:59:22 , 2009-10-04 04:08:32 MD5 : EsrXx1aqG4iMkaD6KAk6Eg== , peih6zNxM7qWMZScyo+bwQ== SHA256 : reCnyT26keOyXxoMGMqBkSz5C/mU+B1v , BkqAs9GHyCHtzKpLL1pYeCJvlMrkyCaP File: /etc/prelink.cache Inode : 800127 , 800126 File: /var/log/spooler.3 Inode : 676431 , 676406 File: /var/log/spooler.4 Inode : 676424 , 676431 File: /var/log/boot.log Inode : 676412 , 676367 File: /var/log/cron Size : 9789 , 4205 Inode : 676413 , 676368 File: /var/log/messages Size : 98152 , 0 Inode : 676387 , 676363 File: /var/log/maillog.3 Size : 5579 , 5564 Inode : 676430 , 676404 File: /var/log/boot.log.4 Inode : 676425 , 676432 File: /var/log/boot.log.3 Inode : 676432 , 676411 File: /var/log/cron.2 Size : 13640 , 14743 Inode : 676416 , 676418 File: /var/log/maillog.2 Size : 5564 , 5917 Inode : 676404 , 676400 File: /var/log/cron.1 Size : 14743 , 24127 Inode : 676418 , 676413 File: /var/log/secure.4 Inode : 676421 , 676427 File: /var/log/rpmpkgs.3 Inode : 676300 , 676393 File: /var/log/secure.3 Size : 0 , 283 Inode : 676427 , 676402 File: /var/log/messages.3 Size : 51552 , 54130 Inode : 676390 , 676401 File: /var/log/secure.1 Size : 1616 , 9021 Inode : 676397 , 676392 File: /var/log/maillog.1 Size : 5917 , 37829 Inode : 676400 , 676394 File: /var/log/rpmpkgs.2 Inode : 676393 , 676386 File: /var/log/maillog Size : 25282 , 4492 Inode : 676394 , 676365 File: /var/log/spooler Inode : 676396 , 676366 File: /var/log/messages.1 Size : 88054 , 98152 Inode : 676395 , 676387 File: /var/log/cron.3 Size : 13702 , 13640 Inode : 676433 , 676416 File: /var/log/spooler.2 Inode : 676406 , 676405 File: /var/log/boot.log.1 Inode : 676417 , 676412 File: /var/log/maillog.4 Size : 5563 , 5579 Inode : 676423 , 676430 File: /var/log/messages.4 Size : 44647 , 51552 Inode : 676389 , 676390 File: /var/log/spooler.1 Inode : 676405 , 676396 File: /var/log/cron.4 Size : 13842 , 13702 Inode : 676426 , 676433 File: /var/log/rpmpkgs.1 Size : 21544 , 18596 Inode : 676386 , 676357 SELinux : system_u:object_r:rpm_log_t:s0 , user_u:object_r:var_log_t:s0 File: /var/log/boot.log.2 Inode : 676411 , 676417 File: /var/log/secure Size : 8848 , 0 Inode : 676392 , 676364 File: /var/log/rpmpkgs.4 Inode : 676391 , 676300 File: /var/log/secure.2 Size : 283 , 1616 Inode : 676402 , 676397 File: /var/log/messages.2 Size : 54130 , 88054 Inode : 676401 , 676395 Directory: /usr/local/stat/report Mtime : 2009-09-30 15:00:01 , 2009-10-05 04:00:01 Ctime : 2009-09-30 15:00:01 , 2009-10-05 04:00:01 Directory: /usr/bin Mtime : 2009-09-29 03:52:41 , 2009-10-05 04:02:32 Ctime : 2009-09-29 03:52:41 , 2009-10-05 04:02:32 File: /usr/bin/install Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 620123 , 616713 MD5 : YL/AF2/J0GeXfRAmT+XHlQ== , Sen/4Il5c6d1deP7grHK1Q== RMD160 : 3wAtYVy6O3X4GXugS7GfQ+MA3cY= , FlZYgw+qZ/hTV2mFhiwU2/1hAb4= SHA256 : 4aHN1yX5Z+Fj0QHmN2s5FwaAbIWJ2JWS , 5yvu3D3HKZsVqkh65Dmn5n+nvgJGlcH2 File: /usr/bin/vdir Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 618056 , 618129 MD5 : mASQMEdhoU25nvLaxjxdMw== , rK/Bam43f0uYhOiINBoPFA== RMD160 : bFxHuVkHS0zaKC+MXj4AoppIFOY= , Gvdc2JPZg3KfEUqTV30X9D61BrU= SHA256 : 4TZx6UKzwtTBGf+P+h3dYIwDtS+LMr3z , kiB/LfHGB7ElYUJ/3eqO7cstdfTVYaAN File: /usr/bin/setfacl Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 621762 , 617949 MD5 : U7E2zPv9oBFKpXKpo+Fe5Q== , E7fw4mkhYizTGGW7kd0CRQ== RMD160 : ts7s3dFBV9d9d2gnjlbbK6IMURI= , DtAGT0IYAod0+CQj+rEZcopPzRg= SHA256 : StgDpZBCJi7Sg+ys4tszmypnF/ySPT53 , FcYtKRyIAcFXHeX2xB8cbyoShmFTPULd File: /usr/bin/dir Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 621581 , 617821 MD5 : y5WdsMPXMlnuRCC3pR0gTw== , JqS8iQmyegGObdbKS/qtlw== RMD160 : Ul8Yx62667X8Rv7deq3yvG7BD1c= , zM1JtK+CwJKO3uPTCsfn2mqOscU= SHA256 : rzGy0kHI/R6E5S3B5pwAE1sOcNRlN1Cs , 8Qrk1PWBDjdr5EDsvpfvDJvUCdgiO9pC File: /usr/bin/getfacl Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 618744 , 617939 MD5 : uR0zhKd13yiPmSf4g4jY2Q== , xCyLlvHK9fy76/03Suw8Nw== RMD160 : +fJ0o6sxe3L8LQIBBbylUX/TPXM= , eMHqihLnN9DV3hJEazEVis2IGy4= SHA256 : CVLLgSjjKXIwj7MeS8V8oDXPDj1JtWD0 , wvv+XA3GKUmBB71G/MZkGTAvDxmrVLFE File: /usr/bin/vim Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 618283 , 617873 MD5 : vHHtcAtg7ur/7wmC9YiSgg== , lnjT1vj328xTWr1O665cQA== RMD160 : /OzVl0Ei/iZ1WUDHMo5WTMeQanA= , BDv5DrVYkmLhI8Kq5wqef8M/Hzg= SHA256 : mXTems4duCaA+oW+B80c+UoE+lkGo6s/ , FVGXvJcDY15vKq1namv4r9zfVsbLsA5m File: /usr/bin/rsync Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 616713 , 618075 MD5 : n1WnMvyMf3/qXgSIMHicLg== , H3p6CVKIVqUz26z97I0CMg== RMD160 : eac5RgnJq2QYQTfdUDrSGFqAbp0= , 7FzdgJ+cNweWN18ADSeUhdfH26U= SHA256 : 73YFSm6A78xdEjXldkXx2opCfUtmQ/cJ , pQJGNS/9MOcqNXa1M7PR28AFbcrHijjZ File: /usr/bin/chacl Ctime : 2009-09-28 12:16:26 , 2009-10-05 04:02:32 Inode : 617873 , 617911 MD5 : AUVN4NxZyoFctKWxRCRyXw== , 0K4eJhx0Pw0xhAV+PJEJbg== RMD160 : 9gSLqXtXEEG/+XoFqoTAMGNoWfc= , vwp6CHuFyIYDonLZRiumRleH4v0= SHA256 : fa1A4Uh76PfMbWZN5If3pbs/TpJDdKOC , O2JK5BXMLAqnwN7Rh4pOI6tUtf9sYYXK File: /root/.bash_history Size : 17853 , 19171 Mtime : 2009-09-30 14:54:06 , 2009-09-30 15:32:10 Ctime : 2009-09-30 14:54:06 , 2009-09-30 15:32:10 MD5 : YS7kJ0byeTy6u0rL48cV6w== , vHXbRiuX/NhnD+YEpwRMeg== RMD160 : 7s87Qk1C0W91qNt47KGn56Lw0tQ= , Q7ni7wFJbq8xwVJm5QeuyOOPqrM= SHA256 : WysNXDBgXtwv1sux23acOxFX7UPYRV1v , lMc+VMh35cl0lR12c8bJhzhCKaC3ccc+ Directory: /bin Mtime : 2009-09-28 12:34:12 , 2009-10-05 04:02:32 Ctime : 2009-09-28 12:34:12 , 2009-10-05 04:02:32 File: /bin/vi Ctime : 2009-09-28 12:16:25 , 2009-10-05 04:02:32 Inode : 832115 , 832007 MD5 : u6gAhZ1zn1gPiR41E4gl4w== , ShmkVxokYi/pK0naGH6EEg== RMD160 : HfP4xJp3fwgNvQpyeethSUc4iwo= , 1fxFWlvfJHDsTbN11mePh2aGziw= SHA256 : s7lZl76pSHATOy6kH0hbSn46bP254s29 , d74p+8IgyFwO/whyLY1dKUk1J6f1+Fgb File: /bin/cp Ctime : 2009-09-28 12:16:25 , 2009-10-05 04:02:32 Inode : 832039 , 832067 MD5 : jZo/HcxJOfXCZ6Hjf+hfZw== , k5w0X1pGxNMH1WWsgU/LvQ== RMD160 : 93WwphG2X62kqThEZIgk1K76sqo= , XAz5AzSmdQuz2u77lXz3iLD8j7M= SHA256 : KXa3y/0ZWDSGguOyGTGlLekhM3mlmtJn , UKj6cWI9h8mX/pYIQEWC5fGmB8ELygSC File: /bin/ls Ctime : 2009-09-28 12:16:25 , 2009-10-05 04:02:32 Inode : 832067 , 832073 MD5 : h3anZidA+a97Tlhezn926w== , a4YhiH4Px32I1ZjPKgMtJA== RMD160 : MYA+iG9KTXzz+Ncz2xDRB3nYT8I= , U/wHoMilHgBOSyuM6yJsVFSG2V8= SHA256 : O8eQUIx1NFXHuYtUvjt70LGDp2mDNFL3 , OcefTXG5NIdq6pTNfR3iXzfu3RuYQO8G File: /bin/tar Ctime : 2009-09-28 12:16:25 , 2009-10-05 04:02:32 Inode : 832057 , 832039 MD5 : SaSLp0AL6R71HWLuuRetzQ== , SILP02Q04oT30pjewi+7Yg== RMD160 : 0D1WW1EgvkR3y1R2BTpZo/wNpPk= , f4yrQCsP6uTR+lhwt6Rc5HLMh7U= SHA256 : 2If4mRHl+AgqdroC0mZcVfZgQzshw5w4 , a3LPNlH7Dlbq2+xj2SqnU4RNEsJizFJa File: /bin/mv Ctime : 2009-09-28 12:16:25 , 2009-10-05 04:02:32 Inode : 832073 , 832003 MD5 : S5oSSL68Mir50NwDID9s/w== , aTxW8Jgt1NqoaDoJloWAEw== RMD160 : gUyYLUSZECt6NdmTE2M2CdkYGOI= , 7qjMveDDE45CEwFO49tjm3dOBdE= SHA256 : pNhjcQ80tVDvhMDpw+cY1+LjqhPzM/Hn , lq4l1e+6r8YSIzIvcxe3CJwlRTORKpDS Ok. I understand about /var/log dirs. I understand about /usr/local/stat too. That i have my bash scripts and I edit config file. But I don't understand next: changed: /usr/bin/install changed: /usr/bin/vdir changed: /usr/bin/setfacl changed: /usr/bin/dir changed: /usr/bin/getfacl changed: /usr/bin/vim changed: /usr/bin/rsync changed: /usr/bin/chacl changed: /bin/vi changed: /bin/cp changed: /bin/ls changed: /bin/tar changed: /bin/mv Me hacked ? This rootkit ? MD5 hash and Inodes - realy changed on this files ! OS RHEL 5.3 x86_64. Code:
$ uname -r 2.6.18-128.el5 $ getenforce Enforcing ---------- Post updated at 03:07 AM ---------- Previous update was at 02:25 AM ---------- 1) I checked my server with chkrootkit and all results are "not infected", "nothing detected", "not found" 2) Beside root I'm alone user in this system. And /etc/passwd have not any shells on another users (daemons) - /sbin/nologin. 3) Nothing suspicious proccesses (ps -axufw) and network connections (netstat -ntaupe). Ok. I realy noob in security questions and I need your help. Maybe i paranoid, but i think this hack. My files changed at 4 AM (when all admins sleeps) Command last and security logs don't see - nothing in this time. Why changed /etc/aliases.db and not change /etc/aliases ? |
|
10-05-2009
|
|||||
|
|||||
|
Did you check your crontab(s) for any automatic update jobs? If there are none, you have a few options:
But most important: Don't Panic. As soon as you're sure that the system is safe, disable all unsafe daemons (telnet, ...), and secure any required services (eg. moving SSH to a different port, require public key authentication, setup IPtables, ...) |
|
10-05-2009
|
||||
|
||||
|
Thank you pludi !
I will try to change original files from Official DVD. My servers i configure with this guides: http://www.nsa.gov/ia/_files/os/redh...guide-i731.pdf http://www.nsa.gov/ia/_files/factshe...phlet-i731.pdf |
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Hybrid Mode
