Hello,
Recently I transfered my site to a new provider and before putting the new server live I installed Tripwire as my IDS. Reports for the first 4 days the site was live on the new server were fine, but on day 5 the report made me gasp when reading it because according to it basically all of the files on my server had been modified (around 12k files).
After checking the details of the report I felt somewhat puzzled, because there was no change in date, size, permissions or anything on the file. All of the reported files had the same type of "Device Number" modification. Following is a sample of the report (as I mentioned all of the files have the same thing):
PHP Code:
Modified object name: /usr/sbin/gpm
Property: Expected Observed
------------- ----------- -----------
* Device Number 51 31
I'm a newbie on managing a Linux Server so I'm not familiar with that "Device Number" property, could anyone give some ideas what is this all about. Was my site hacked or theres something else going on?
I haven't noticed anything weird on the site/server itself. I ran chkrootkit and rkhunter and none of them report anything unusual.
These are my specs:
- Virtual Private Server with 1 GB of dedicated RAM (provider uses OpenVZ for virtualization)
- CentOS 4.5
One fact that I should mention is that my provider announced recently that they were going to do some updates on the servers, because they wanted to update the OpenVZ to the latest kernel release. I wonder if this matter has anything to do with that, although the provider said that they would notify VPS users when their server was going to be upgraded, and so far they've not notified me about the update of the server where my account is located.
Thanks,
George
Tripwire reports that all my files had the "Device Number" modified
