[Rkhunter-users] Which theory best explains why files were moved to new inodes?

Sat, 10 Sep 2011 19:01:41 -0700 

Hello,

May I please have the benefit of your informed
thoughts?

rkhunter said fifteen files were moved to new
inodes on August 22, 2011.

Which theory best explains it?


1.) UPGRADING PACKAGES

    dhcp3-common
    dhcp3-client 
    libfreetype6
    libwbclient0
    samba-common
    smbfs

    However, re-installing the packages with
    
        $ rkhunter --propupd
        $ apt-get --reinstall --purge install dhcp3-common (bla bla bla ...)
        $ rkhunter -c
        
    failed to elicit the warnings.


2.) A HYPERVISOR

    The computer is actually a so called "virtual
    private server" (VPS), running under a
    hypervisor named "Virtuozzo".
    
    Virtuozzo can share files between multiple
    VPSes.
    
    Maybe Virtuozzo moved the files.

    However support staff at the company hosting
    the VPS were unaware of any changes.


3.) A ROOT KIT

    The computer seems to have been recently
    infected by malicious email, and soon after
    the warnings, security updates were recently
    released for the following packages

        apache2
        apache2-doc
        apache2-mpm-prefork
        apache2-utils
        apache2.2-common


Since there's contradictory evidence for the first
two theories, and corroborating evidence for the
third, I'm inclined to think a root kit is more
likely.

What do you think?

Thanks,
Kingsley

Excerpt from rkhunter.log follows:

    [02:19:54] /sbin/depmod                                      [ Warning ]
    [02:19:54] Warning: The file properties have changed:
    [02:19:54]          File: /sbin/depmod
    [02:19:55]          Current inode: 393257589    Stored inode: 915474138
    [02:19:57] /sbin/ifconfig                                    [ Warning ]
    [02:19:57] Warning: The file properties have changed:
    [02:19:58]          File: /sbin/ifconfig
    [02:19:58]          Current inode: 393257670    Stored inode: 915472951
    [02:19:59] /sbin/ifdown                                      [ Warning ]
    [02:19:59] Warning: The file properties have changed:
    [02:19:59]          File: /sbin/ifdown
    [02:20:00]          Current inode: 393257652    Stored inode: 915472971
    [02:20:01] /sbin/ifup                                        [ Warning ]
    [02:20:01] Warning: The file properties have changed:
    [02:20:02]          File: /sbin/ifup
    [02:20:02]          Current inode: 393257695    Stored inode: 915472971
    [02:20:03] /sbin/init                                        [ Warning ]
    [02:20:04] Warning: The file properties have changed:
    [02:20:04]          File: /sbin/init
    [02:20:05]          Current inode: 393257690    Stored inode: 915344399
    [02:20:06] /sbin/insmod                                      [ Warning ]
    [02:20:06] Warning: The file properties have changed:
    [02:20:06]          File: /sbin/insmod
    [02:20:07]          Current inode: 393257620    Stored inode: 915474136
    [02:20:08] /sbin/ip                                          [ Warning ]
    [02:20:08] Warning: The file properties have changed:
    [02:20:08]          File: /sbin/ip
    [02:20:08]          Current inode: 393257586    Stored inode: 915473089
    [02:20:10] /sbin/lsmod                                       [ Warning ]
    [02:20:10] Warning: The file properties have changed:
    [02:20:11]          File: /sbin/lsmod
    [02:20:11]          Current inode: 393257694    Stored inode: 915474169
    [02:20:12] /sbin/modinfo                                     [ Warning ]
    [02:20:12] Warning: The file properties have changed:
    [02:20:13]          File: /sbin/modinfo
    [02:20:13]          Current inode: 393257697    Stored inode: 915474140
    [02:20:14] /sbin/modprobe                                    [ Warning ]
    [02:20:14] Warning: The file properties have changed:
    [02:20:14]          File: /sbin/modprobe
    [02:20:15]          Current inode: 393257704    Stored inode: 915474135
    [02:20:17] /sbin/rmmod                                       [ Warning ]
    [02:20:17] Warning: The file properties have changed:
    [02:20:17]          File: /sbin/rmmod
    [02:20:17]          Current inode: 393257624    Stored inode: 915474137
    [02:20:18] /sbin/runlevel                                    [ Warning ]
    [02:20:19] Warning: The file properties have changed:
    [02:20:19]          File: /sbin/runlevel
    [02:20:19]          Current inode: 393257634    Stored inode: 915344400
    [02:20:21] /sbin/sulogin                                     [ Warning ]
    [02:20:21] Warning: The file properties have changed:
    [02:20:22]          File: /sbin/sulogin
    [02:20:22]          Current inode: 393257611    Stored inode: 915344234
    [02:20:23] /sbin/sysctl                                      [ Warning ]
    [02:20:23] Warning: The file properties have changed:
    [02:20:23]          File: /sbin/sysctl
    [02:20:24]          Current inode: 393257643    Stored inode: 915474596
    [02:20:25] /sbin/syslogd                                     [ Warning ]
    [02:20:25] Warning: The file properties have changed:
    [02:20:26]          File: /sbin/syslogd
    [02:20:26]          Current inode: 393257649    Stored inode: 915669158


------------------------------------------------------------------------------
Using storage to extend the benefits of virtualization and iSCSI
Virtualization increases hardware utilization and delivers a new level of
agility. Learn what those decisions are and how to modernize your storage 
and backup environments for virtualization.
http://www.accelacomm.com/jaw/sfnl/114/51434361/
_______________________________________________
Rkhunter-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to