[Aide] Weird AIDE problem

Lue-Fook-Sang, Andre andre.lue-fook-sang at thomson.com
Mon Apr 4 18:33:57 EEST 2005



-----Original Message-----
From: Lue-Fook-Sang, Andre 
Sent: Friday, April 01, 2005 9:25 PM
To: 'aide at cs.tut.fi'
Subject: Re: [Aide] Weird AIDE problem


Is this a server reachable from the web? There was asecurity hole in openssl
not so long ago. 

If you have a backup before the problem started try doing a strings -a on
some of the binaries and do a diff vs the one there now on the strings
output but do it on different system. You are looking for added function
calls or some call not present in other reference binaries.  

Transfer it the suspect binaries using a non-standard system tool(in case
you were rooted) ie nc and do it on a trusted system. 

Honedtly this doesn't sound like aide. If you were not compromised, I'd
guess some probs with the hard drive on it's way out and lastly ext3 under
severe I/O having issue (doubtful and testable on another system)

Hope this helps
Andre
Andre' Lue-Fook-Sang
Thomson One Security Engineer
Technical Operations - Production Support
Thomson Financial
Tel: 212-510-3943
Fax: 212-510-4498


-----Original Message-----
From: aide-bounces at cs.tut.fi <aide-bounces at cs.tut.fi>
To: aide at cs.tut.fi <aide at cs.tut.fi>
Sent: Fri Apr 01 09:57:56 2005
Subject: Re: [Aide] Weird AIDE problem


here is the output for cmp -b

thanks for you help again.

/usr/local/ssl/bin/openssl /usr/local/ssl/bin/opensslbackup differ: byte 
766582, line 1303 is 376 M-~ 377 M-^?



At 03:00 AM 4/1/2005, you wrote:
>Send Aide mailing list submissions to
>         aide at cs.tut.fi
>
>To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.cs.tut.fi/mailman/listinfo/aide
>or, via email, send a message with subject or body 'help' to
>         aide-request at cs.tut.fi
>
>You can reach the person managing the list at
>         aide-owner at cs.tut.fi
>
>When replying, please edit your Subject line so it is more specific 
>than "Re: Contents of Aide digest..."
>
>
>Today's Topics:
>
>    1. Re: Weird AIDE problem (John Farmer)
>    2. Re: Weird AIDE problem (Richard van den Berg)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 31 Mar 2005 09:41:00 -0600
>From: John Farmer <jfarmer at iirenergy.com>
>Subject: Re: [Aide] Weird AIDE problem
>To: aide at cs.tut.fi
>Message-ID:
>         <6.2.1.2.0.20050331093307.04d2b080 at mail.industrialinfo.com>
>Content-Type: text/plain; charset="iso-8859-1"; format=flowed
>
>The file does change I made a backup but its so small I guess it doesnt 
>really make a difference.  Here is a diff -a of a file before and after 
>the heavy io.
>
>*** opensslbackup       Tue Aug 24 09:15:32 2004
>--- openssl     Tue Aug 24 09:15:32 2004
>*************** X[^Ͷ*** 458,464 ****
>    ‰äžèïêÿÿ돃ìPèôvƒìSèôòÿÿƒÄëЃìPè&    èÒåÿÿƒÄ 빍¶!     1Û9óŒÓ
1Û9óŒÔ---
>458,464 ----
>    ‰äžèïêÿÿ돃ìPèôvƒìSèôòÿÿƒÄëЃìPè&    èÒåÿÿƒÄ
>빍¶!     1Û9óŒÓ  1Û9óŒÔ*************** W‹rU‹zSƒìl‹‹h‰$‰l$‹X‹h‰\$‰l$‹X
>*** 1300,1306 ****
>    ‹œø1Ò÷4™ƒúv4Cûÿ  PVèoÁùÿƒÄƒøvCûÿ  P‹D$,PèÛ¿ùÿƒÄ…Àt4ƒì‹ ! 
>P‹D$Pè¿¿ùÿƒÄ…ÀtCûÿ$H‰D$D‰D$@ƒÄ,[^_]é*Áùÿv  ¿‹D$Õ‹WƒÓÑ0RUUè[­ÿÿƒÄ…À„
>ÿÿÿƒìjW蕬ùÿƒÄ…Àu´é     ÿÿÿƒìhÁ´&…Àº$(90tTƒìhˆ  ÇÐU
>èI}ûÿƒÄëАƒì¡0V…ÀuƒÄÃìhàUjÇ0V--- 1300,1306 ----
>    ‹œø1Ò÷4™ƒúv4Cûÿ  PVèoÁùÿƒÄƒøvCûÿ  P‹D$,PèÛ¿ùÿƒÄ…Àt4ƒì‹ ! 
>P‹D$Pè¿¿ùÿƒÄ…ÀtCûÿ$H‰D$D‰D$@ƒÄ,[^_]é*Áùÿv  ¿‹D$Õ‹WƒÓÑ0RUUè[­ÿÿƒÄ…À„
>ÿÿÿƒìjW蕬ùÿƒÄ…Àu´é     ÿÿÿƒìhÁ´&…Àº$(90tTƒìhˆ  ÇÐU
>èI}ûÿƒÄëАƒì¡0V…ÀuƒÄÃìhàUjÇ0V
>
>
>The file still works if you run it so I dont know really what is going 
>on.  This isnt the only file that is changing.  A bunch of other 
>binaries are also changing in the same way that the openssl binary is 
>changing.
>
>ssh,ssh-keyscan,h2xs,libnetcfg,sshd,pine,autoexpect,makemap,debugfs
>
>
>Has anyone else seen anything like this?  I'm completely stumped.
>
>
>
>At 12:39 AM 3/31/2005, you wrote:
> >On Wed, 23 Mar 2005, John Farmer wrote:
> >
> > > I'm noticing some strange behavior on our server and I wondered if 
> > > anyone had seen anything like this before. Here is how it started. 
> > > On this day:
> > >
> > > Start timestamp: 2005-03-15 15:00:01
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : WJvJGt/2UCv5nHph2RqTpQ== , 0HH05buevntg0SmoSlavvA==
> > >
> > >
> > > So I updated the aide database and then the next day.
> > >
> > > Start timestamp: 2005-03-16 02:00:02
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : 0HH05buevntg0SmoSlavvA== , WPOUrghNI3gE9TDt4DNqXA==
> > >
> > > So again I updated the aide database:
> > > Start timestamp: 2005-03-17 02:00:03
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : WPOUrghNI3gE9TDt4DNqXA== , WJvJGt/2UCv5nHph2RqTpQ==
> > >
> > >
> > > So I reloaded it one more time.
> > > Start timestamp: 2005-03-17 19:00:01
> > > File: /usr/local/ssl/bin/openssl
> > >    MD5      : WJvJGt/2UCv5nHph2RqTpQ==          ,
> > > 0HH05buevntg0SmoSlavvA==
> > >
> > >
> > >
> > > Around 2am and 2pm is when this server is under very heaving IO 
> > > from
> doing
> > > backups.  The partition with the "changing" files is an EXT3 
> > > partition. Anyone have any ideas on why this is happening?
> >
> >If the file doesn't change in reality, there must be a bug somewhere. 
> >Might want to try configure switch "--without-mmap".
> >
> >Duke NEMO / C.O.M.A
> >alias pablo the pallo virolainen
>
>
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Thu, 31 Mar 2005 18:12:58 +0200
>From: Richard van den Berg <richard at vdberg.org>
>Subject: Re: [Aide] Weird AIDE problem
>To: Aide user mailinglist <aide at cs.tut.fi>
>Message-ID: <424C218A.5010105 at vdberg.org>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>John Farmer wrote:
> > The file does change I made a backup but its so small I guess it 
> > doesnt really make a difference.  Here is a diff -a of a file before 
> > and after the heavy io.
>
>Try cmp -b for seeing the changes in binary files. It looks like you 
>have a serious problem on your system. Aide is right to report a 
>difference if you can even spot it with diff.
>
>Sincerely,
>
>Richard van den Berg
>
>
>------------------------------
>
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
>End of Aide Digest, Vol 9, Issue 1
>**********************************




John Farmer
Systems Manager
www.industrialinfo.com
P.  (713) 980 3459
F.  (713) 735 8080


The information contained in this e-mail message is legally privileged and 
may include proprietary and confidential information.  This message is 
intended for the recipient(s) only.  If an error has misdirected this 
email, please notify the author by replying to this email and then delete 
it from your system immediately. If you are not the intended recipient then 
disclosure, distribution, copying or printing of this email is strictly 
prohibited. Information or opinions in this message that do not relate to 
the business of Industrial Information Resources shall be treated as 
neither given nor endorsed by it. No liability will be accepted by 
Industrial Information Resources for any defamatory statement or 
infringement of copyright which is contrary to our employment policies and 
outside the scope of the employment of the author. Neither Industrial 
Information Resources nor the author accepts any responsibility for viruses 
or other destructive elements and it is the recipients' responsibility to 
scan any attachments.Please note we intercept and monitor incoming/outgoing 
e-mail and therefore you should neither expect nor intend any e-mail to be 
private in nature.  

_______________________________________________
Aide mailing list
Aide at cs.tut.fi
https://mailman.cs.tut.fi/mailman/listinfo/aide


More information about the Aide mailing list