[Aide] RE: Weird AIDE problem
Virolainen Pablo
pablo at cs.tut.fi
Wed Apr 6 13:19:46 EEST 2005
On Tue, 5 Apr 2005, John Farmer wrote:
> >Is this a server reachable from the web? There was asecurity hole in openssl
> >not so long ago.
>
> Server is not reachable from the web. Its purpose is just to backup
> servers. The only service that runs on that machine is sshd.
>
>
> >If you have a backup before the problem started try doing a strings -a on
> >some of the binaries and do a diff vs the one there now on the strings
> >output but do it on different system. You are looking for added function
> >calls or some call not present in other reference binaries.
> >
> >Transfer it the suspect binaries using a non-standard system tool(in case
> >you were rooted) ie nc and do it on a trusted system.
> >
> >Honedtly this doesn't sound like aide. If you were not compromised, I'd
> >guess some probs with the hard drive on it's way out and lastly ext3 under
> >severe I/O having issue (doubtful and testable on another system)
>
>
> I dont think it is a failing hard drive because we have a 3ware raid card
> that will send me a message if it even hickups. The reason I thought it
> might be ext3 under heavy I/O is because the files change everynight after
> the server runs the backups. And the fact that the files change 4 times in
> a cylce (meaning it changes back to its original form) kind of leads me to
> believe it may have something to do with the journaling. I ran the diff
> and cmp commands to show the difference see the output below. Someone has
> mentioned that it might be caused by a prelink command but I do not have a
> prelink command on this box. I really appreciate anyone and everyones help
> on this problem so far.
You propably should check, if any of these 4 mutant-files are the original
shipped in your distro.
If you suspect it is the backup-program, one might want to
"strace -f -F -e trace=file -o <filename> <backup-software>". Then just
grep openssl <filename>.
Can you mount the filesystem which contains changed files as read-only?
Duke NEMO / C.O.M.A
alias pablo the pallo virolainen
More information about the Aide
mailing list