LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-14-2011, 12:54 AM   #1
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Rep: Reputation: 8
Has my System been Compromised?


Hello,

5 days ago I tried an experiment. I currently run a music server called Subsonic that runs in a Java machine. My expirement was to make a chroot jail for it. So created a dir /subsonic and copied -a /lib64 and some /usr/bin/ and /bin files into it the chroot directory. The experiment failed so I deleted that chroot directory.

Since then I rested my passwords.

Today I ran AIDE check(I keep the aide bin and aide database on a seperate usb key for security) and what can be found on the attached file.




I what I am worried about most is /lib64 and /usr/bin.

Can anyone help, please?
Attached Files
File Type: txt aide.txt (218.8 KB, 23 views)

Last edited by dman777; 05-14-2011 at 01:57 AM.
 
Old 05-14-2011, 03:32 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Of the 976 Ctime lines listed only 61 have unique times. Most changes happened on 2011-05-12, at 12:15 and at 17:15. This specific time stamp may be due to a cronjob or it may be coincidence. None of the item names found are linked to any known (to me at least) malicious activity or rootkits. Since these items had their contents (= modification time) mass-changed as well as their meta data (= change time) all at the same time and them being in Gentoo's multilib init script directory and /dev/ I'd rather be looking for the system being updated or some sort of "management script" running that would "fix" DAC rights or changes occurring at reboot. Grepping your 'last' log for reboots ('last -x|egrep "^(reb|shu)";') and your syslogs for that specific date and time may yield clues.
 
1 members found this post helpful.
Old 05-17-2011, 08:07 PM   #3
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Question:

In your aide setup, do you have it set to send it via email, if so how did you setup it up?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
has my system been compromised bigtl Linux - Security 9 02-16-2009 10:17 PM
Has my system been compromised? Drfarfrompuken Linux - Security 3 05-18-2007 05:58 PM
Has my system been compromised? foodhater Linux - Security 1 06-01-2006 06:51 PM
Has my system been compromised? Palula Linux - Security 2 02-03-2006 09:09 AM
Help! My system's been compromised.... DaVenom Linux - Security 1 11-12-2004 02:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration