RE: AIDE warnings following kernel upgrade

["Michael Shirk" <shirkdog () cryptomail org>]

Some important things are:
Do you have an offline backup of the aide.db??
Do you have remote syslog capabilities??
These are controls that could be necessary depending on your risk level. If you do not have either of these, you can 
just do some basic steps to see what is going on.
netstat -an
lsof -i tcp and udp (also there is an option i think -U that shows ALL networking daemons and there processes).
Also,
tcpdump, or ethereal or snort and just see what packets are coming to you server. If you think someone is on the box, 
also refer to Securityfocus.com and look for live forensic tools and information. 
All of this will tell you if anyone is actually on your box. 
Hope this gets you started.
Shirkdog
-----Original Message-----
From: dmargoli () stwing org [mailto:dmargoli () stwing org]
Sent: Monday, August 16, 2004 7:40 PM
To: security-basics () securityfocus com
Subject: AIDE warnings following kernel upgrade
Importance: Low
Hi,
I'm writing regarding some strange behaviour on a machine of mine.
The machine:
Debian stable, previously running Debian sources 2.4.18, just upgraded 
to a grsecurity-patched vanilla 2.4.27. Apache1.3, Postfix, Mailman. 
Fairly typical setup.
What happened:
As I said, I upgraded from the Debian sources (they appear to have a 
handful of local DoS and priv-escalation vulnerabilities that have gone 
unpatched) to 2.4.27 with GRSecurity patches applied.
After the upgrade, AIDE, which runs on a nightly cron, warns me that 
nearly all files have been changed (contents of /lib/modules/2.4.18/, 
which makes little sense, /bin/bash, /usr/bin/perl, /usr/lib/apt, files 
in /var, /lib, /bin, /usr/local, you name it). The change appears to be 
minor changes in the bcount (e.g. File: /bin/bash  Bcount   : 1001, 1000).
So obviously I'm worried about the possibility of an intrusion. This 
seems a bit odd, however; while I don't trust the output of chkrootkit 
(which doesn't find anything), I have to wonder about the conjunction 
between this and the kernel upgrade. Is it likely that somebody loaded 
something malicious into my boot loader (GRUB) so that when I rebooted 
(first time in a few weeks), something nasty happened? If so, why would 
so many files be changed (I wouldn't really expect someone to trojan 
/usr/lib/libfakeroot...)? That makes it a bit obvious. Or is it possible 
that somebody altered my sources so that when I got around to compiling 
and upgrading, I loaded a trojaned version?
Further, is it possible that these restrictive GRSecurity options, or 
simply the newer kernel, might result in these files failing their checks?
I'll admit, I'm trying to find reassurance that I haven't been rooted. 
Rebuilding this machine will be a pain. Any ideas?
Thanks.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+
CryptoMail provides free end-to-end message encryption.  
http://www.cryptomail.org/   Ensure your right to privacy.
Traditional email messages are not secure.  They are sent as
clear-text and thus are readable by anyone with the motivation
to acquire a copy.
!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+!+


---------------------------------------------------------------------------
Computer Forensics Training at the InfoSec Institute. All of our class sizes
are guaranteed to be 12 students or less to facilitate one-on-one
interaction with one of our expert instructors. Gain the in-demand skills of
a certified computer examiner, learn to recover trace data left behind by
fraud, theft, and cybercrime perpetrators. Discover the source of computer
crime and abuse so that it never happens again.

http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040817
----------------------------------------------------------------------------