Смена номеров inode файлов системных команд

To: debian-russian@lists.debian.org
Subject: Смена номеров inode файлов системных команд
From: James Brown <jbrownfirst@gmail.com>
Date: Sat, 04 Sep 2010 01:00:05 +0000
Message-id: <[🔎] 4C819A15.2060807@gmail.com>

Имеется debian lenny на вдс (18ое ядро, виртуализация виртуозо).
Возник следующий вопрос.
rkhunter определил, что на вдс поменялись номера инодов системных команд
(см. лог-1).
Со своей стороны вроде бы ничего не делал, за сутки, когда появилась
проблема, были установлены только обновления безопансности tshark и
wireshark-common, вроде бы это не должно было поменять номера инодов
других системных команд? (Обычно такое происходит при обновлении
пактеов, в которых содержатся эти файлы системных команд)
Надо сказать, что в конце августа было обновление binutils, и у меня на
десктопе такая же ситуация с size и string - но там ясно почему.
Однако на вдс почему-то в логах apt нет этого обновления, к тому же
команды там относятся и к coreutils и другим пакетам.
По лога вроде бы ничего криминального нет, но если кто установил руткит
- он наверное их подотрет.
unhide sys находит кучу скрытых процессов.
Как достоверно проверить, к чему они относятся и почему изменились
номера инод?

Warning: The file properties have changed:
         File: /bin/bash
         Current inode: 1297223    Stored inode: 2594446
Warning: The file properties have changed:
         File: /bin/cat
         Current inode: 1297207    Stored inode: 2594414
Warning: The file properties have changed:
         File: /bin/chmod
         Current inode: 1297184    Stored inode: 2594368
Warning: The file properties have changed:
         File: /bin/chown
         Current inode: 1297182    Stored inode: 2594364
Warning: The file properties have changed:
         File: /bin/cp
         Current inode: 1297206    Stored inode: 2594412
Warning: The file properties have changed:
         File: /bin/csh
         Current inode: 1296846    Stored inode: 2593692
Warning: The file properties have changed:
         File: /bin/date
         Current inode: 1297187    Stored inode: 2594374
Warning: The file properties have changed:
         File: /bin/df
         Current inode: 1297190    Stored inode: 2594380
Warning: The file properties have changed:
         File: /bin/dmesg
         Current inode: 1297211    Stored inode: 2594422
Warning: The file properties have changed:
         File: /bin/echo
         Current inode: 1297172    Stored inode: 2594344
Warning: The file properties have changed:
         File: /bin/ed
         Current inode: 1297197    Stored inode: 2594394
Warning: The file properties have changed:
         File: /bin/egrep
         Current inode: 1297221    Stored inode: 2594442
Warning: The file properties have changed:
         File: /bin/fgrep
         Current inode: 1297228    Stored inode: 2594456
Warning: The file properties have changed:
         File: /bin/fuser
         Current inode: 1297180    Stored inode: 2594360
Warning: The file properties have changed:
         File: /bin/grep
         Current inode: 1297216    Stored inode: 2594432
Warning: The file properties have changed:
         File: /bin/ip
         Current inode: 1297175    Stored inode: 2594350
Warning: The file properties have changed:
         File: /bin/kill
         Current inode: 1297176    Stored inode: 2594352
Warning: The file properties have changed:
         File: /bin/login
         Current inode: 1297255    Stored inode: 2594510
Warning: The file properties have changed:
         File: /bin/ls
         Current inode: 1297247    Stored inode: 2594494
Warning: The file properties have changed:
         File: /bin/lsmod
         Current inode: 1297252    Stored inode: 2594504
Warning: The file properties have changed:
         File: /bin/mktemp
         Current inode: 1297241    Stored inode: 2594482
Warning: The file properties have changed:
         File: /bin/more
         Current inode: 1297196    Stored inode: 2594392
Warning: The file properties have changed:
         File: /bin/mount
         Current inode: 1297188    Stored inode: 2594376
Warning: The file properties have changed:
         File: /bin/mv
         Current inode: 1297242    Stored inode: 2594484
Warning: The file properties have changed:
         File: /bin/netstat
         Current inode: 1297231    Stored inode: 2594462
Warning: The file properties have changed:
         File: /bin/ps
         Current inode: 1297230    Stored inode: 2594460
Warning: The file properties have changed:
         File: /bin/pwd
         Current inode: 1297210    Stored inode: 2594420
Warning: The file properties have changed:
         File: /bin/readlink
         Current inode: 1297213    Stored inode: 2594426
Warning: The file properties have changed:
         File: /bin/sed
         Current inode: 1297218    Stored inode: 2594436
Warning: The file properties have changed:
         File: /bin/sh
         Current inode: 1297217    Stored inode: 2594434
Warning: The file properties have changed:
         File: /bin/su
         Current inode: 1297208    Stored inode: 2594416
Warning: The file properties have changed:
         File: /bin/touch
         Current inode: 1297185    Stored inode: 2594370
Warning: The file properties have changed:
         File: /bin/uname
         Current inode: 1297199    Stored inode: 2594398
Warning: The file properties have changed:
         File: /bin/which
         Current inode: 1297246    Stored inode: 2594492
Warning: The file properties have changed:
         File: /bin/tcsh
         Current inode: 1297235    Stored inode: 2594470
Warning: The file properties have changed:
         File: /usr/bin/awk
         Current inode: 1655623    Stored inode: 3311246
Warning: The file properties have changed:
         File: /usr/bin/basename
         Current inode: 1658664    Stored inode: 3317328
Warning: The file properties have changed:
         File: /usr/bin/chattr
         Current inode: 1658810    Stored inode: 3317620
Warning: The file properties have changed:
         File: /usr/bin/cut
         Current inode: 1658385    Stored inode: 3316770
Warning: The file properties have changed:
         File: /usr/bin/diff
         Current inode: 1658630    Stored inode: 3317260
Warning: The file properties have changed:
         File: /usr/bin/dirname
         Current inode: 1658619    Stored inode: 3317238
Warning: The file properties have changed:
         File: /usr/bin/dpkg
         Current inode: 1658463    Stored inode: 3316926
Warning: The file properties have changed:
         File: /usr/bin/dpkg-query
         Current inode: 1658714    Stored inode: 3317428
Warning: The file properties have changed:
         File: /usr/bin/du
         Current inode: 1658639    Stored inode: 3317278
Warning: The file properties have changed:
         File: /usr/bin/env
         Current inode: 1658304    Stored inode: 3316608
Warning: The file properties have changed:
         File: /usr/bin/file
         Current inode: 1658322    Stored inode: 3316644
Warning: The file properties have changed:
         File: /usr/bin/find
         Current inode: 1658466    Stored inode: 3316932
Warning: The file properties have changed:
         File: /usr/bin/GET
         Current inode: 1658826    Stored inode: 3317652
Warning: The file properties have changed:
         File: /usr/bin/groups
         Current inode: 1658372    Stored inode: 3316744
Warning: The file properties have changed:
         File: /usr/bin/head
         Current inode: 1658418    Stored inode: 3316836
Warning: The file properties have changed:
         File: /usr/bin/id
         Current inode: 1658765    Stored inode: 3317530
Warning: The file properties have changed:
         File: /usr/bin/killall
         Current inode: 1658395    Stored inode: 3316790
Warning: The file properties have changed:
         File: /usr/bin/last
         Current inode: 1658363    Stored inode: 3316726
Warning: The file properties have changed:
         File: /usr/bin/lastlog
         Current inode: 1658334    Stored inode: 3316668
Warning: The file properties have changed:
         File: /usr/bin/ldd
         Current inode: 1659800    Stored inode: 3319600
Warning: The file properties have changed:
         File: /usr/bin/less
         Current inode: 1658757    Stored inode: 3317514
Warning: The file properties have changed:
         File: /usr/bin/logger
         Current inode: 1658663    Stored inode: 3317326
Warning: The file properties have changed:
         File: /usr/bin/lsattr
         Current inode: 1658572    Stored inode: 3317144
Warning: The file properties have changed:
         File: /usr/bin/lsof
         Current inode: 1658865    Stored inode: 3317730
Warning: The file properties have changed:
         File: /usr/bin/lynx
         Current inode: 1655656    Stored inode: 3311312
Warning: The file properties have changed:
         File: /usr/bin/mail
         Current inode: 1655640    Stored inode: 3311280
Warning: The file properties have changed:
         File: /usr/bin/md5sum
         Current inode: 1658453    Stored inode: 3316906
Warning: The file properties have changed:
         File: /usr/bin/newgrp
         Current inode: 1658451    Stored inode: 3316902
Warning: The file properties have changed:
         File: /usr/bin/passwd
         Current inode: 1658901    Stored inode: 3317802
Warning: The file properties have changed:
         File: /usr/bin/perl
         Current inode: 1658715    Stored inode: 3317430
Warning: The file properties have changed:
         File: /usr/bin/pstree
         Current inode: 1658565    Stored inode: 3317130
Warning: The file properties have changed:
         File: /usr/bin/rkhunter
         Current inode: 1660745    Stored inode: 3321490
Warning: The file properties have changed:
         File: /usr/bin/runcon
         Current inode: 1658401    Stored inode: 3316802
Warning: The file properties have changed:
         File: /usr/bin/sha1sum
         Current inode: 1658864    Stored inode: 3317728
Warning: The file properties have changed:
         File: /usr/bin/size
         Current inode: 1658566    Stored inode: 3317132
Warning: The file properties have changed:
         File: /usr/bin/sort
         Current inode: 1658499    Stored inode: 3316998
Warning: The file properties have changed:
         File: /usr/bin/stat
         Current inode: 1658449    Stored inode: 3316898
Warning: The file properties have changed:
         File: /usr/bin/strings
         Current inode: 1658487    Stored inode: 3316974
Warning: The file properties have changed:
         File: /usr/bin/sudo

         Current inode: 1660462    Stored inode: 3320924
Warning: The file properties have changed:
         File: /usr/bin/tail
         Current inode: 1658838    Stored inode: 3317676
Warning: The file properties have changed:
         File: /usr/bin/test
         Current inode: 1658370    Stored inode: 3316740
Warning: The file properties have changed:
         File: /usr/bin/top
         Current inode: 1658778    Stored inode: 3317556
Warning: The file properties have changed:
         File: /usr/bin/touch
         Current inode: 1658516    Stored inode: 3317032
Warning: The file properties have changed:
         File: /usr/bin/tr
         Current inode: 1658808    Stored inode: 3317616
Warning: The file properties have changed:
         File: /usr/bin/uniq
         Current inode: 1658343    Stored inode: 3316686
Warning: The file properties have changed:
         File: /usr/bin/users
         Current inode: 1658652    Stored inode: 3317304
Warning: The file properties have changed:
         File: /usr/bin/vmstat
         Current inode: 1658795    Stored inode: 3317590
Warning: The file properties have changed:
         File: /usr/bin/w
         Current inode: 1655661    Stored inode: 3311322
Warning: The file properties have changed:
         File: /usr/bin/watch
         Current inode: 1658346    Stored inode: 3316692
Warning: The file properties have changed:
         File: /usr/bin/wc
         Current inode: 1658786    Stored inode: 3317572
Warning: The file properties have changed:
         File: /usr/bin/wget
         Current inode: 1658297    Stored inode: 3316594
Warning: The file properties have changed:
         File: /usr/bin/whatis
         Current inode: 1658677    Stored inode: 3317354
Warning: The file properties have changed:
         File: /usr/bin/whereis
         Current inode: 1658357    Stored inode: 3316714
Warning: The file properties have changed:
         File: /usr/bin/which
         Current inode: 1658610    Stored inode: 3317220
Warning: The file properties have changed:
         File: /usr/bin/who
         Current inode: 1658678    Stored inode: 3317356
Warning: The file properties have changed:
         File: /usr/bin/whoami
         Current inode: 1658571    Stored inode: 3317142
Warning: The file properties have changed:
         File: /usr/bin/tcsh
         Current inode: 1658885    Stored inode: 3317770
Warning: The file properties have changed:
         File: /usr/bin/gawk
         Current inode: 1658829    Stored inode: 3317658
Warning: The file properties have changed:
         File: /usr/bin/lwp-request
         Current inode: 1658437    Stored inode: 3316874
Warning: The file properties have changed:
         File: /usr/bin/lynx.cur
         Current inode: 1658482    Stored inode: 3316964
Warning: The file properties have changed:
         File: /usr/bin/bsd-mailx
         Current inode: 1658342    Stored inode: 3316684
Warning: The file properties have changed:
         File: /usr/bin/w.procps
         Current inode: 1658408    Stored inode: 3316816
Warning: The file properties have changed:
         File: /sbin/depmod
         Current inode: 1297274    Stored inode: 2594548
Warning: The file properties have changed:
         File: /sbin/ifconfig
         Current inode: 1297344    Stored inode: 2594688
Warning: The file properties have changed:
         File: /sbin/ifdown
         Current inode: 1297326    Stored inode: 2594652
Warning: The file properties have changed:
         File: /sbin/ifup
         Current inode: 1297369    Stored inode: 2594738
Warning: The file properties have changed:
         File: /sbin/init
         Current inode: 1297364    Stored inode: 2594728
Warning: The file properties have changed:
         File: /sbin/insmod
         Current inode: 1297294    Stored inode: 2594588
Warning: The file properties have changed:
         File: /sbin/ip
         Current inode: 1297271    Stored inode: 2594542
Warning: The file properties have changed:
         File: /sbin/lsmod
         Current inode: 1297368    Stored inode: 2594736
Warning: The file properties have changed:
         File: /sbin/modinfo
         Current inode: 1297371    Stored inode: 2594742
Warning: The file properties have changed:
         File: /sbin/modprobe
         Current inode: 1297378    Stored inode: 2594756
Warning: The file properties have changed:
         File: /sbin/rmmod
         Current inode: 1297298    Stored inode: 2594596
Warning: The file properties have changed:
         File: /sbin/runlevel
         Current inode: 1297308    Stored inode: 2594616
Warning: The file properties have changed:
         File: /sbin/sulogin
         Current inode: 1297285    Stored inode: 2594570
Warning: The file properties have changed:
         File: /sbin/sysctl
         Current inode: 1297317    Stored inode: 2594634
Warning: The file properties have changed:
         File: /sbin/syslogd
         Current inode: 1297323    Stored inode: 2594646
Warning: The file properties have changed:
         File: /usr/sbin/adduser
         Current inode: 1430232    Stored inode: 2860464
Warning: The file properties have changed:
         File: /usr/sbin/chroot
         Current inode: 1430225    Stored inode: 2860450
Warning: The file properties have changed:
         File: /usr/sbin/cron
         Current inode: 1430291    Stored inode: 2860582
Warning: The file properties have changed:
         File: /usr/sbin/groupadd
         Current inode: 1430321    Stored inode: 2860642
Warning: The file properties have changed:
         File: /usr/sbin/groupdel
         Current inode: 1430318    Stored inode: 2860636
Warning: The file properties have changed:
         File: /usr/sbin/groupmod
         Current inode: 1430341    Stored inode: 2860682
Warning: The file properties have changed:
         File: /usr/sbin/grpck
         Current inode: 1430229    Stored inode: 2860458
Warning: The file properties have changed:
         File: /usr/sbin/nologin
         Current inode: 1430359    Stored inode: 2860718
Warning: The file properties have changed:
         File: /usr/sbin/pwck
         Current inode: 1430361    Stored inode: 2860722
Warning: The file properties have changed:
         File: /usr/sbin/tcpd
         Current inode: 1430276    Stored inode: 2860552
Warning: The file '/usr/sbin/unhide' exists on the system, but it is not present in the rkhunter.dat file.
Warning: The file properties have changed:
         File: /usr/sbin/useradd
         Current inode: 1430266    Stored inode: 2860532
Warning: The file properties have changed:
         File: /usr/sbin/userdel
         Current inode: 1430285    Stored inode: 2860570
Warning: The file properties have changed:
         File: /usr/sbin/usermod
         Current inode: 1430258    Stored inode: 2860516
Warning: The file properties have changed:
         File: /usr/sbin/vipw
         Current inode: 1430364    Stored inode: 2860728
Warning: The file properties have changed:
         File: /usr/sbin/xinetd
         Current inode: 1430337    Stored inode: 2860674
Warning: The file '/usr/sbin/unhide-linux26' exists on the system, but it is not present in the rkhunter.dat file.
Warning: Found enabled xinetd service: /etc/xinetd.d/ftp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/poppassd_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtp_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/smtps_psa
Warning: Found enabled xinetd service: /etc/xinetd.d/submission_psa
Warning: No output found from the lsmod command or the /proc/modules file:

Reply to:

Prev by Date: Re: Сборка пакетов ядра из сырцов a-la debian
Next by Date: Re: Сборка пакетов ядра из сырцов a-la debian
Previous by thread: Re: Сборка пакетов ядра из сырцов a-la debian
Next by thread: Re: Смена номеров inode файлов системных команд
Index(es):
- Date
- Thread