Security :: Files Sizes And Checksums Changed, But Not Time Stamps?
Nov 24, 2010
For the second time in a week, I have set up an unmanaged CentOS 5.5 Storm Server at StormOnDemand, only to discover a ton of unauthorized changes to binaries (updated file checksums and sizes) on the server shortly thereafter.The time stamps do NOT change.If the time stamps did change, I would be hunting down ahat was doing some auto-updates. But the time stamps are not changing.This leads me to believe that either these servers are suffering from:1. A virus or hacker is compromising the box.2. system corruption.3. Something else? To eliminate the possibility of number 1, I toasted the first server and started over with a new server and enabled their firewall from the start to only allow access for two IPs via SSH... my IP and my biz partner's.
Then, one of the first things we installed was a system we created that maintains a snapshot of most directories on the system so that it can be used to watch the live directories for changes. At 4:07am (server time) this morning, we received notice from this system that a massive number of files had changed in these directories. Again, no file time stamps changed.So, my question is this... is there any legitimate reason in a fairly standard CentOS 5.5 install that would cause so many files to change?
View 2 Replies
ADVERTISEMENT
Dec 14, 2010
Currently I am using the following command to copy and add date and time stamp to files.cp /home/work/file.grn /home/xfer/rename_`date +%Y%m%d%H%M%S'.grn.If I have five files for ex: file_1.grn, file_2.grn,file_3.grn ...can I copy those five files a different directory and with a different file name and with date time stamp to it.The output filenames name_1_yyyymmddhhmmss.grn,rename_2_yyyymmddhhmmss.grn,rename_3_yyyymmddhhmmss.grn ...
View 5 Replies
View Related
Mar 25, 2011
I've these 2 UNIX timestamps values taken from the java method System.currentTimeMillis(). These 2 timestamps correspond to the start time and the end time of 2 process that ran. Here are the values:
Code:
starttime ---------------- endtime
1301005328042 ----------- 1301005352079
[code]...
View 2 Replies
View Related
Mar 28, 2011
I am looking for a utility that would do the following:1. Be run manually on a list of files whose sizes should not change, to get a control file containing the sizes of each file.2. Subsequent manual runs would report any changes in size of any of the files in the list, and allow option to accept the new sizes.3. Be run as a cron job to check for changes in the file sizes and send an email alert if a change has occurred since the last time it was run.The purpose is to detect possible hacks of key files on a website. It would not include files expected to change, but just those that should not change. It would be run manually a few times to get the control list one wants to monitor.
View 3 Replies
View Related
Dec 22, 2010
I have two machines, both are centos 4.4 (one is a virtual machine, the other is not) they are treating file timestamps differently. Below is an example from each of the machines to demonstrate.
Code:
[behaving as expected]
-bash-3.00$ ls -1t --full-time
[code]...
View 2 Replies
View Related
Feb 20, 2010
I've been using Linux for about 15 yrs.. and this is driving me crazy.My daughter often plays on my linux box - a kinda-fresh f12 install.. running gnome.SO one day I go on my computer and my icons on my desktop are as if she changed my display to 800x600 - since the icons are so huge - but web browsing & once i open an application the sizing is fine.Wondering what she may have done to make my icons so huge.i can't seem to figure out any settings for this - she was messing with accessibility options since she had some software keyboard coming up at login too
View 7 Replies
View Related
Jan 25, 2011
is there a way to display a list of all the files changed during current session?
View 4 Replies
View Related
Jul 6, 2010
I always use VNC to check my server for updates, and this morning I started the xvnc4viewer to vnc into my server and it keep asking for a password. I never setup a password because I do this local from my laptop, and I am the only one who uses my laptop. I had to go to my server and check the setting in System > Preferences > Remote Desktop and found them all changed. There was a password setup and there was a check mark in the you must confirm each access to this machine there some security update that changed all these setting? Sometimes when I do updates I don't know what is being changed on my server
View 9 Replies
View Related
Jan 6, 2010
Question about shared libraries dependancies & ldd: Lets find dependancies for /bin/echo :
$ldd /bin/echo
linux-gate.so.1 => (0xb7f70000)
libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb7e01000)
/lib/ld-linux.so.2 (0xb7f71000)
Lets focus on libc6 :
[Code]....
What is this directory /lib/i686/cmov? How does ldd to link /lib/libc.so.6 to /lib/i686/cmov/libc.so.6? Why having 2 libc6 on the system (files have different sizes, so are different)?
View 2 Replies
View Related
Mar 15, 2010
I just recently reinstalled (clean) Ubuntu 9.10 Karmic Koala last week. In that time, over 40GB of log files were created until the FileSystem was full. I then received a low disk space message and ran disk usage analyzer to find out that almost all of the 44GB I had free were taken up by the /var/log directory. I then preceded to delete the 5 largest files which freed up over 40 GB of space.
Basically I believe that I have two problems:
1.) The log files are logging too much information (40 GB in one week).
2.) I need a way to automatically limit the size of the log files. I have tried searching online for this solution and briefly came across logrotate but I don't believe that this will completely solve my problem as it only compresses and backs up older logs. I need something that will remove old log entries altogether. If logrotate is capable of this can someone please walk me through the process? I do not remember all five log files that were in question but they did include: messages, syslog, and daemon.log. I believe kern.log may have been involved too.
View 2 Replies
View Related
May 1, 2010
On installation of my OEL (Oracle Enterprise Linux), I've made a mistake, and set the date and time wrong. It's pointing to a date far in the future. So I change the date (and time), all looks OK. But when I boot, all is back to the same date (in 2015). I'm running this OS in VMware, I don't know if this issue relates to VM or not.
View 8 Replies
View Related
Jun 27, 2010
my system time is getting changed automatically(4 hours delay) even if i set the correct time zone. hw can i resolve it?
View 8 Replies
View Related
Jun 9, 2011
I need to write a small application which needs to detect if the system time is changed by an another application/user and perform some action as soon as it is detected (maybe log the data that time has changed, along with info about which application/user changed it).
How can this be achieved?
I have good programming experiences in shell script, c and beginner level in python.
I don't need to know when it was changed, just need to know who/what changed it.
The system uses NTP to sync the time, but it is also possible for anyone/any application to change the time(for eg: using the simple "date" command as well).
View 2 Replies
View Related
Mar 30, 2011
I'm running Ubuntu Hardy 8.04 and in the UK we changed from GMT to BST last Sunday (27th March)
On GMT I was waking on LAN at 23:30, all was working fine then we changed to BST. What I usually do is leave the BIOS clock on GMT and change the Wake on Alarm to 22:30. I did this, shut down Ubuntu fine, but its not waking up at all at 22:30, or any other time I set the WOA to. I had this problem a few years ago on an old ASrock mobo and cant remember how I sorted it - maybe by blanking the bios, cant remember.
View 4 Replies
View Related
Jan 12, 2011
I have bought an external usb hard drive on which I back up my three computers every once in a while.Space will quickly be used up.I can't find that little bit of research that I need yesterday.Here is what I would like to find:An application that eliminates doubles in identical files and renames files that have changed by appending the last saved date yyyymmdd to the file name.Does such an application already exist?
View 6 Replies
View Related
Nov 25, 2010
the permissions for my home directory were accidentally changed from 'access files' to 'create and delete files', and I changed them back, but ever since then I am not able to change any preferences/settings at all. power management, themes, panels, emerald, anything. my user account is supposed to be the administrator, and all the user privliges are checked. how to get control of my computer back?
View 9 Replies
View Related
Dec 14, 2010
I'm seeing really bad user login format under a standard installation and am wondering why ubuntu does this as default. I have noticed that the graphical login for gnome sizes itself to accommodate a user's exact password length. This indicates to me that somewhere on the unencrypted part of a standard installation with user encryption contains at least some indication of the content of the password length which seems a security flaw even if not a complete hole, it majorly reduces the number of attempts a cracker would have to cycle through.
And that's assuming that *only* the length is contained. Furthermore it seems that it would be MUCH better to simply display the number of characters entered into the pw field and allowing the gui to expand itself from an fixed size as the field is filled out so the the user still receives visual feedback for entering characters. Either a simple character count display should be entered into the field or a 10 dot to new line so that one can visually quickly count the number enter by multiplying from a 10base graphical observation.
View 9 Replies
View Related
Jun 21, 2011
I am using the default CVS available in Fedora 9. I initiated the CVS server by
cvs -d /usr/local/cvsproj init
To check-in and check-out the following exports commands are used
export CVS_RSH=ssh
export CVSROOT=:ext:swathi@SERVER:/usr/local/cvsproj
I shall explain problem by taking an example. A project was checked in long before (for example the checkin date is 25 Feb 2010). And today (i.e. 21 June 2011) I checked out the project from the repository. After checkout, the date of the project in the repository is changed from 25 Feb 2010 to 21 June 2011. This date is set to all the subfolders in that project. But the files in the project retains the checking date i.e. 25 Feb 2010. Why the check-in dates are getting updated/changed to the system time after doing check-out.
View 2 Replies
View Related
Jan 20, 2011
Protect against root password change[Log in to get rid of this advertisement]I have recently had to force a change of the root password on a linux box I was running. It was a test system which I had not used in a while, so I forgot the root password (not so smart).Anyway, I found that it was amazingly easy to reset the root password. Here is a straight forward article on how to do it.URL...
My question is: how can you protect against this? I see this as a security hole.I understand that the user must have physical access to the computer, but if I want to lock the system down so you cannot easily enter single user mode or the root password cannot be changed.
View 1 Replies
View Related
Jun 3, 2010
I'm having an issue with dual networking on RHEL 5. My initial question is can the order the ethx (0,1) devices are brought up be changed at boot time, so I could bring up eth1 before eth0?
Some background: eth0 is DHCP'd and using DNS, basically this is my primary network. eth1 is an isolated subnet, with a manually configured IP which has no connection to eth0 or the outside world. When I bring up networking it first brings up eth0 and then eth1, what happens is eth1 becomes the 'primary' network of the host and I lose my connection to DNS/NFS/NIS and the outside world.
If I login and manually bring up eth1 first, then eth0 everyone is happy and connections work. So, I'm looking for a solution to either bring up eth1 before eth0 or somehow make eth0 my primary IP and not have it be clobbered by eth1.
View 2 Replies
View Related
Apr 10, 2010
I'm running 64-bit Ubuntu Karmic, Encrypted HDD.I changed my login passwordwhen i try to boot i click on my name and type in my new password i have 'authentication fail' when i type in my old password this happens"could not update ICEauthority file /home/chris/ICEauthority""Their is a problem with the configuration server. (/usr/lib/libconf2-4/gconf-sanity-check-2) exited with status 256""Nautilus could not create the following required folders/Home/chris/Desktop,/home/chris/.nautilusBefore running nautilus, please create these folders, or set permissions such that nautilus can create them."
View 4 Replies
View Related
Jul 9, 2010
I am running a Fedora 10 Virtual Server and get have a feeling I have been hacked. I needed to fix a source file that I had definately not changed myself. It was a PHP file concerned with usernames and passwords so that made me even more suspicious. I have been investigating and found the following. If you need other information give me the command I should run and I will update, I am no expert in this area and use the server to host my website and SVN. I am the only person that has access to the server.
Code:
# lsof -u nobody
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
[code]....
View 4 Replies
View Related
Mar 9, 2010
I issue the command 'dd if=/dev/hdc|head -c 4294607004|m5sum'. But the checksum I get is not the correct one. Its not the checksum of the first 4294607004 bytes in /dev/hdc. And the message dd outputs is
8387904 records in
8387904 records out
Then I find 8387904 * 512 (512 because 4294607004 / 8387904 = 512.0000186) = 4294606848, which falls short of 4294607004 by a few bytes. But 8387905 * 512 > 4294607004. So I issue 'dd if=/dev/hdc ibs=512 count=8387905|head -c 4294607004|md5sum'. the message is still the same:
8387904 records in
8387904 records out
View 2 Replies
View Related
May 21, 2009
I checked a couple of locations:[URL]... and none of the files listing checksums do so for the LiveCD ISO neither md5 nor sha1. Being a "trust but verify" sort of fellow. . .
View 3 Replies
View Related
May 7, 2010
I wrote this little script and I need some help, I am trying to achieve following:Every day I receive new file in the /home/denis/MyData/ folder and I don't know what the file mane will be but I want to move any file that arrives there to the new location /media/DataBackup/Linux/backup/ (media/DataBackup/ is external 500GB USB drive)to automatically create new folder with the date and time stamp every day and then to move content of the /home/denis/MyData/ into the new folder with current date stamp. So every day there will be new folder and will contain files for that day only.My script is as follows:
cd /media/DataBackup/Linux/backup/
mkdir MyData_$(date +%Y%b%d_%HH%MM)
#this creates file MyData_current date and time
[code]...
View 3 Replies
View Related
Sep 12, 2010
Rkhunter file properties changed
View 2 Replies
View Related
Oct 23, 2010
So for ive changed the dns on my home router to Opendns and ive added this What does a dns attack look like? how would i know is my dns was poisoned or if i was under a kaminsky style attack?
View 9 Replies
View Related
Mar 11, 2011
Just want to stealth ports on my laptop. Had problems with firestarter when I installed in on 10.10. Set Firestater back to defaults and then dumped it with:
Code:
sudo apt-get purge firestarter
Set up Gufw to defaults and now am not sure what I am seeing with iptables.
iptables -L shows .....
Do these settings look correct for default settings for Gufw? or do I still have some problems with the old firestarter settings not being removed. All I want is all ports stealthed. I know that ping is enabled but I believe that is a default setting in ufw. Could I restore iptables to default with:
Code:
sudo iptables -F
and then enable Gufw and set default?
View 5 Replies
View Related
Dec 17, 2010
I usually install or upgrade using Ctrl + alt + F1 console in init3 mode.Despite this and while using # zypper re && zypper up i notice that often times upgrade is stopped when checksums are changed. Last day 250 packages could not be upgraded because of maybe 5 packages with changed checksums. Sometimes clearing zypper cache with zypper cc does the trick but not all the time it works, I had to force install manually to be able to upgrade. Is it possible that upgrade is not impeded by such changes ? If not is it at least possible to have a list of changed checksum packages to be able to remove them or install them manually more easily ?
View 1 Replies
View Related
Jun 29, 2011
I downloaded GNU coreutils and compiled them both identically on two different computers running Ubuntu 10.04.1 LTS. I performed a random audit, MD5 checking on chown, and they both have different checksums. Does anyone know why this has occurred?
View 6 Replies
View Related
