[Aide] AIDE and Wordpress? Constant wp-content changes? Is it normal?

Keith Constable kccricket at gmail.com
Fri May 1 16:56:32 EEST 2015 

On Friday, May 1, 2015, Alex Morin-Sénécal <alex at fortunelab.net> wrote:

> Hi,
>
> I'm using AIDE to check on old Wordpress installation that doesn't get new
> content added. There was a advertisement script added to the header of one
> of our sites at some point, so we wanted to use AIDE to know when something
> like this happens, because a lot of Wordpress sites are hit by 0 day
> exploits, so it's inevitable something like this will happen again at some
> point, and we want to know when it will happen and act on it.
>
> Anyways, I'm using the NORMAL rules for these sites, which might not be
> ideal? The log is a little strange. Well, perhaps not strange, but can
> someone explain this behavior?:
>
> Directory: /home/company/site.com/wp-content/themes
> <http://brownstoneplayhouse.com/wp-content/themes>
>  Mtime    : 2015-04-30 04:01:27              , 2015-04-30 15:55:43
>  Ctime    : 2015-04-30 04:01:27              , 2015-04-30 15:55:43
>
> Directory: /home/company/site.org/wp-content/plugins
> <http://fondationfabiennecolas.org/wp-content/plugins>
>  Mtime    : 2015-04-28 10:14:47              , 2015-04-30 17:27:15
>  Ctime    : 2015-04-28 10:14:47              , 2015-04-30 17:27:15
>
> I'm getting a lot of these for the various sites we host and it's always
> in wp-content, the themes or plugins folder. So practically, something
> changed, but what?
>
> I suppose this is normal behavior and it's probably a side effect of
> Wordpress checking for updates or just doing something for one reason or
> another?
>
> I'm just wondering if this is normal and if there's nothing to worry
> about. Better be safe than sorry.
>
> Thanks
>


Can you try to describe the problem more specifically? Is the problem that
the ctime and mtime of directories is changing, but there are no changes to
the content of the directory?

Bear in mind that Wordpress has automatic update features, so some
unexpected changes may occur.

Regards,

Keith Constable
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.cs.tut.fi/pipermail/aide/attachments/20150501/673d9f8a/attachment.html>

More information about the Aide mailing list