[Aide] Weird AIDE problem

John Farmer jfarmer at iirenergy.com
Fri Apr 1 17:57:56 EEST 2005 

here is the output for cmp -b

thanks for you help again.

/usr/local/ssl/bin/openssl /usr/local/ssl/bin/opensslbackup differ: byte 
766582, line 1303 is 376 M-~ 377 M-^?



At 03:00 AM 4/1/2005, you wrote:
>Send Aide mailing list submissions to
>         aide at cs.tut.fi
>
>To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.cs.tut.fi/mailman/listinfo/aide
>or, via email, send a message with subject or body 'help' to
>         aide-request at cs.tut.fi
>
>You can reach the person managing the list at
>         aide-owner at cs.tut.fi
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of Aide digest..."
>
>
>Today's Topics:
>
>    1. Re: Weird AIDE problem (John Farmer)
>    2. Re: Weird AIDE problem (Richard van den Berg)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Thu, 31 Mar 2005 09:41:00 -0600
>From: John Farmer <jfarmer at iirenergy.com>
>Subject: Re: [Aide] Weird AIDE problem
>To: aide at cs.tut.fi
>Message-ID:
>         <6.2.1.2.0.20050331093307.04d2b080 at mail.industrialinfo.com>
>Content-Type: text/plain; charset="iso-8859-1"; format=flowed
>
>The file does change I made a backup but its so small I guess it doesnt
>really make a difference.  Here is a diff -a of a file before and after the
>heavy io.
>
>*** opensslbackup       Tue Aug 24 09:15:32 2004
>--- openssl     Tue Aug 24 09:15:32 2004
>*************** X[^Ͷ*** 458,464 ****
>    ‰äžèïêÿÿ돃ìPèôvƒìSèôòÿÿƒÄëЃìPè&    èÒåÿÿƒÄ 빍¶!     1Û9óŒÓ  1Û9óŒÔ---
>458,464 ----
>    ‰äžèïêÿÿ돃ìPèôvƒìSèôòÿÿƒÄëЃìPè&    èÒåÿÿƒÄ
>빍¶!     1Û9óŒÓ  1Û9óŒÔ*************** W‹rU‹zSƒìl‹‹h‰$‰l$‹X‹h‰\$‰l$‹X
>*** 1300,1306 ****
>    ‹œø1Ò÷4™ƒúv4Cûÿ  PVèoÁùÿƒÄƒøvCûÿ  P‹D$,PèÛ¿ùÿƒÄ
Àt4ƒì‹
>! P‹D$Pè¿¿ùÿƒÄ
ÀtCûÿ$H‰D$D‰D$@ƒÄ,[^_]é*Áùÿv  ¿‹D$Õ‹WƒÓÑ0RUUè[­ÿÿƒÄ
À„
>ÿÿÿƒìjW蕬ùÿƒÄ
Àu´é     ÿÿÿƒìhÁ´&
Àº$(90tTƒìhˆ  ÇÐU
>èI}ûÿƒÄëАƒì¡0V
ÀuƒÄÃìhàUjÇ0V--- 1300,1306 ----
>    ‹œø1Ò÷4™ƒúv4Cûÿ  PVèoÁùÿƒÄƒøvCûÿ  P‹D$,PèÛ¿ùÿƒÄ
Àt4ƒì‹
>! P‹D$Pè¿¿ùÿƒÄ
ÀtCûÿ$H‰D$D‰D$@ƒÄ,[^_]é*Áùÿv  ¿‹D$Õ‹WƒÓÑ0RUUè[­ÿÿƒÄ
À„
>ÿÿÿƒìjW蕬ùÿƒÄ
Àu´é     ÿÿÿƒìhÁ´&
Àº$(90tTƒìhˆ  ÇÐU
>èI}ûÿƒÄëАƒì¡0V
ÀuƒÄÃìhàUjÇ0V
>
>
>The file still works if you run it so I dont know really what is going
>on.  This isnt the only file that is changing.  A bunch of other binaries
>are also changing in the same way that the openssl binary is changing.
>
>ssh,ssh-keyscan,h2xs,libnetcfg,sshd,pine,autoexpect,makemap,debugfs
>
>
>Has anyone else seen anything like this?  I'm completely stumped.
>
>
>
>At 12:39 AM 3/31/2005, you wrote:
> >On Wed, 23 Mar 2005, John Farmer wrote:
> >
> > > I'm noticing some strange behavior on our server and I wondered if anyone
> > > had seen anything like this before.
> > > Here is how it started. On this day:
> > >
> > > Start timestamp: 2005-03-15 15:00:01
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : WJvJGt/2UCv5nHph2RqTpQ== , 0HH05buevntg0SmoSlavvA==
> > >
> > >
> > > So I updated the aide database and then the next day.
> > >
> > > Start timestamp: 2005-03-16 02:00:02
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : 0HH05buevntg0SmoSlavvA== , WPOUrghNI3gE9TDt4DNqXA==
> > >
> > > So again I updated the aide database:
> > > Start timestamp: 2005-03-17 02:00:03
> > >
> > > File: /usr/local/ssl/bin/openssl
> > > MD5 : WPOUrghNI3gE9TDt4DNqXA== , WJvJGt/2UCv5nHph2RqTpQ==
> > >
> > >
> > > So I reloaded it one more time.
> > > Start timestamp: 2005-03-17 19:00:01
> > > File: /usr/local/ssl/bin/openssl
> > >    MD5      : WJvJGt/2UCv5nHph2RqTpQ==          ,
> > > 0HH05buevntg0SmoSlavvA==
> > >
> > >
> > >
> > > Around 2am and 2pm is when this server is under very heaving IO from 
> doing
> > > backups.  The partition with the "changing" files is an EXT3 partition.
> > > Anyone have any ideas on why this is happening?
> >
> >If the file doesn't change in reality, there must be a bug somewhere.
> >Might want to try configure switch "--without-mmap".
> >
> >Duke NEMO / C.O.M.A
> >alias pablo the pallo virolainen
>
>
>
>
>
>
>------------------------------
>
>Message: 2
>Date: Thu, 31 Mar 2005 18:12:58 +0200
>From: Richard van den Berg <richard at vdberg.org>
>Subject: Re: [Aide] Weird AIDE problem
>To: Aide user mailinglist <aide at cs.tut.fi>
>Message-ID: <424C218A.5010105 at vdberg.org>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>John Farmer wrote:
> > The file does change I made a backup but its so small I guess it doesnt
> > really make a difference.  Here is a diff -a of a file before and after
> > the heavy io.
>
>Try cmp -b for seeing the changes in binary files. It looks like you
>have a serious problem on your system. Aide is right to report a
>difference if you can even spot it with diff.
>
>Sincerely,
>
>Richard van den Berg
>
>
>------------------------------
>
>_______________________________________________
>Aide mailing list
>Aide at cs.tut.fi
>https://mailman.cs.tut.fi/mailman/listinfo/aide
>
>
>End of Aide Digest, Vol 9, Issue 1
>**********************************




John Farmer
Systems Manager
www.industrialinfo.com
P.  (713) 980 3459
F.  (713) 735 8080


The information contained in this e-mail message is legally privileged and 
may include proprietary and confidential information.  This message is 
intended for the recipient(s) only.  If an error has misdirected this 
email, please notify the author by replying to this email and then delete 
it from your system immediately. If you are not the intended recipient then 
disclosure, distribution, copying or printing of this email is strictly 
prohibited. Information or opinions in this message that do not relate to 
the business of Industrial Information Resources shall be treated as 
neither given nor endorsed by it. No liability will be accepted by 
Industrial Information Resources for any defamatory statement or 
infringement of copyright which is contrary to our employment policies and 
outside the scope of the employment of the author. Neither Industrial 
Information Resources nor the author accepts any responsibility for viruses 
or other destructive elements and it is the recipients' responsibility to 
scan any attachments.Please note we intercept and monitor incoming/outgoing 
e-mail and therefore you should neither expect nor intend any e-mail to be 
private in nature.

More information about the Aide mailing list