[Aide] Weird AIDE problem
Markus Schreier
ms at ordix.de
Fri Apr 1 18:36:12 EEST 2005
Hello John, hello all,
i'm new to the list. I'm interessted in and new to aide. The problem
you discribe does not seem to be an aide-problem. So i might as well
write my ideas.
I have three ideas why the files may change:
1) Hardware or System defect
2) Malicious code in the kernel or kernel module
3) Malicious code in some programm
Trying to get thease ideas proved or proved to be wrong:
1) What kind of Hardware is that on? Could the harddisk or conrtoler go
wrong?
Is somthing written in the logs?
Did you run fsck?
Is there a hw-diagnosies tool?
2) Did the kernel or kernel-files change?
Are ther modules loaded, which you don't know about?
3) Do you know which processes run during the file changes? Are you able
to trace them with truss or strace?
Drawback:
If you realy have malicious code on your system, any action or testing
could make things worse.
If you suspect nasty things, then power down, try running the system
from cd for finding things out.
Try rebooting, perhaps the nasty module will not load automaticly.
Hope i could help
Greetings from Wiesbaden, Germany
Markus
--
-------------------------------------------------------------------------
Dipl.-Inform. (FH) ORDIX AG \\|||//
Markus Schreier Kreuzberger Ring 13 mailto:ms at ordix.de o ô
Consultant D-65205 Wiesbaden Tel:0611/77840-00 ^
Systeme & Netze http://www.ordix.de Mob:0163/ORDIX-24 `---'
-------------------------------------------------------------------------
More information about the Aide
mailing list