[2710] in bugtraq
Re: Strange changes - any ideas?
daemon@ATHENA.MIT.EDU (Darren Reed)
Mon Jun 10 12:51:41 1996
Date: Tue, 11 Jun 1996 00:23:44 +1000
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Darren Reed <avalon@coombs.anu.edu.au>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <9606081347.AA08459@all.net> from "Fred Cohen" at Jun 8,
96 09:47:48 am
In some mail from Fred Cohen, sie said:
>
> We run a change-controlled environment, which means that we should be
> aware of all changes. To crosscheck this, we regularly do automated
> change detection. This morning, I made some minor changes to some user
> areas and ran the change control checks only to find the changes listed
> below. (Here are some select extracts)
[...]
> Note that while the content changed, none of the times changed,
> the space remained the same, etc.
[...]
> Here's one where everything indicates a change, but the content is
> unchanged! Sort of hard to believe - there were several of these.
>
> These changes would normally indicate a massive corruption, a disk
> crash, total system collapse, or takeover by bad-people. I checked the
> log files that would indicate any intrusions and found nothing to
> indicate any out-of-the-ordinary usage. I found an apparent file in a
> directory listing - but when I tried to see it, it did not actually
> exist. I did a cat of /etc/motd (described above) and found that it had
> a partial syslog entry appended to it - very strange stuf considering
> that the MD5 checksum was unchanged!
[...]
I think the obvious thing would have been to find the backup tapes and use
"cmp -l" on the binary files.
Or something similar.
You might also want to check your sanity checking binaries, kernel and
database, just to be sure.
Also, I'm pretty sure that funny fsck runs won't get logged.
