2

We have both logwatch and aide file. We would like to know how to know if there any intrusion have had taken place as this server was not active for some time. We quite a number of this entries in the aide files. Does this means some thing wrong have taken place?

File /etc/networks in databases has different attributes, 10020021d,20021d
File /etc/dnsmasq.conf in databases has different attributes, 10020021d,20021d
File /etc/exports in databases has different attributes, 340205bbd,240205bbd
File /etc/cgrules.conf in databases has different attributes, 10020021d,20021d
File /etc/autofs_ldap_auth.conf in databases has different attributes, 10020021d,20021d
user132638
  • 151
  • 1
  • 2
  • 8

1 Answers1

1

AIDE can only point you to files that have changed, but has no way of knowing why these files have changed. It can be an intrusion, but it can also simply be a software update.

You need to go through the list AIDE reports, and for each file find out either why it changed, or what has changed. I would start by looking at a pattern - for instance, if a configuration file and the corresponding binaries and man pages have all been updated, it was likely a software update. Then make sure you account for the software update, because it could have been either an expected software update, or a hacker replacing a package with one that contains a backdoor. Look in yum log files etc. for when the corresponding update happened.

Similarly, open the configuration files and make sure that the values are good (keeping in mind that some hacks are very hard to spot with the naked eye!)

Kevin Keane
  • 860
  • 1
  • 8
  • 13