From: Mark N. <ma...@ti...> - 2005-07-27 17:14:48
|
Gary Funck wrote: >>I have some files showing up in tripwire with changed inodes and MD5 >>sums. Before I panic, could this be caused by the hard drive >>reallocating space? >> >> > >The disk's reallocation is transparent to the operating system's >view of the sectors on the drive. Further, i-nodes are separate >from the sectors where the data is stored. I-nodes should only >be changed if a file is created and then renamed. > >One thing that we run into from time-to-time is that after we >run an update (up2date/yum) and install new files, obviously the >i-nodes will change and so will the contents. As part of the update, >at some time later, the OS runs a "prelink" on all the executables. >See, http://www.linuxforum.com/man/prelink.8.php, and this will >tweak some bits in the executable (though I don't know if this >would change the i-node). > > That prelink stuff is pretty interesting, though I'm not sure I completely understand it. I wonder what "some time later" is. Only the inode, crc32 and md5 changed, for about 80 files, mostly in bin and sbin. No changes to file dates or sizes, etc. It did happen within a week or so after about 5 important packages were updated from up2date (but after those initial changes were recorded in the tripwire database). >If that's not it, unplug the network and start looking for root kits. <g> > > chkrootkit didn't turn up anything. It's only exposure to the internet is as an ftp server running proftpd and I don't see any unusual activity from it, so I'm skeptical that it was really compromised. Thanks for the info. -- Mark Nienberg, SE Tipping Mar + associates 1906 Shattuck Ave Berkeley, CA 94704 (510) 549-1906 ext 236 http://www.tippingmar.com |