Has my System been Compromised?
5 days ago I tried an experiment. I currently run a music server called Subsonic that runs in a Java machine. My expirement was to make a chroot jail for it. So created a dir /subsonic and copied -a /lib64 and some /usr/bin/ and /bin files into it the chroot directory. The experiment failed so I deleted that chroot directory.
Since then I rested my passwords.
Today I ran AIDE check(I keep the aide bin and aide database on a seperate usb key for security) and what can be found on the attached file.
I what I am worried about most is /lib64 and /usr/bin.
Can anyone help, please?
Of the 976 Ctime lines listed only 61 have unique times. Most changes happened on 2011-05-12, at 12:15 and at 17:15. This specific time stamp may be due to a cronjob or it may be coincidence. None of the item names found are linked to any known (to me at least) malicious activity or rootkits. Since these items had their contents (= modification time) mass-changed as well as their meta data (= change time) all at the same time and them being in Gentoo's multilib init script directory and /dev/ I'd rather be looking for the system being updated or some sort of "management script" running that would "fix" DAC rights or changes occurring at reboot. Grepping your 'last' log for reboots ('last -x|egrep "^(reb|shu)";') and your syslogs for that specific date and time may yield clues.
In your aide setup, do you have it set to send it via email, if so how did you setup it up?
|All times are GMT -5. The time now is 12:03 PM.|