You are not logged in.
- Topics: Active | Unanswered
#1 2017-10-16 23:09:23
- RickDeckard
- Member
- From: Acworth, Georgia, USA
- Registered: 2016-02-19
- Posts: 59
[SOLVED] AIDE-0.16 says ctimes modded: Malware or false positives?
Hi, I'm using linux-hardened 4.13.6-1 with repo aide-0.16 for starters and I have a problem. I've run a couple of checks since installing AIDE two days ago (nice=19 aide -C) only to be really, really confused and suspect either a deep malware infection or false positives, so I need some help. Below is the relevant section of my aide log which shows some metadata modifications to non-critical files and /root/.bash_history at a time that my system was in the middle of the boot process.
---------------------------------------------------
Changed entries:
---------------------------------------------------
d < ... mcin ..E: /boot
f ... i . : /etc/.updated
f ... i . : /etc/ld.so.cache
f < ... mci.C...: /etc/sudoers
f ... i . : /etc/udev/hwdb.bin
d = ... mc.n ...: /opt
d = ... mc.. ...: /root
f < ... mc..C...: /root/.bash_history
f = ... .c......: /usr/bin/clamd
f = ... .c......: /usr/bin/clamscan
f = ... .c......: /usr/bin/freshclam
f = ... .c......: /usr/bin/gdk-pixbuf-query-loaders
f = ... .c......: /usr/bin/grub-bios-setup
f = ... .c......: /usr/bin/grub-probe
f = ... .c......: /usr/bin/grub-script-check
f = ... .c......: /usr/bin/gtk-query-immodules-2.0
f = ... .c......: /usr/bin/gtk-query-immodules-3.0
f = ... .c......: /usr/bin/js17
f = ... .c......: /usr/bin/js24
f = ... .c......: /usr/bin/kdeinit4
f = ... .c......: /usr/bin/knotify4
f = ... .c......: /usr/bin/make
f = ... .c......: /usr/bin/p11-kit
f = ... .c......: /usr/bin/python2.7
f = ... .c......: /usr/bin/python3.6
f = ... .c......: /usr/bin/python3.6m
f = ... .c......: /usr/bin/trust
f = ... .c......: /usr/bin/vlc
f = ... .c......: /usr/lib/chromium/chromium
f = ... .c......: /usr/lib/gstreamer-1.0/gst-plugin-scanner
f = ... .c......: /usr/lib/p7zip/7z
f = ... .c......: /usr/lib/p7zip/7za
f = ... .c......: /usr/lib/p7zip/7zr
f = ... .c......: /usr/lib/polkit-1/polkitd
f = ... .c......: /usr/lib/qt4/bin/designer
---------------------------------------------------
Detailed information about changes:
---------------------------------------------------
Directory: /boot
Size : 4096 | 0
Mtime : 2017-10-12 23:03:52 +0000 | 2016-02-25 01:15:40 +0000
Ctime : 2017-10-12 23:03:52 +0000 | 2016-06-28 23:25:01 +0000
Inode : 2 | 1915
Linkcount: 7 | 1
E2FSAttrs: -----------------e--- | ---------------------
File: /etc/.updated
Inode : 17793 | 17851
File: /etc/ld.so.cache
Inode : 17842 | 17850
File: /etc/sudoers
Size : 3964 | 3939
Mtime : 2017-10-14 23:17:14 +0000 | 2017-10-15 02:08:09 +0000
Ctime : 2017-10-14 23:17:14 +0000 | 2017-10-15 02:08:09 +0000
Inode : 17846 | 17848
MD5 : C8ujBIZ3b5GkycvgBPuHeQ== | QYyVtZAUxGKxiHZemorL1Q==
RMD160 : dFrZY/FRJik/9rsemaUpAFcZ828= | vH6Me6LiH12QG70OieKWzR9b8g8=
SHA256 : lG7hg31GtQEpj9hQUNhvapWLcWueWac3 | vwTSO+c7TURarckvGyhwsBvGfXUTI7zE
4FlbQM58A2E= | O7eyMlEVErc=
File: /etc/udev/hwdb.bin
Inode : 17791 | 17849
Directory: /opt
Mtime : 2016-07-02 03:52:39 +0000 | 2017-10-15 05:29:20 +0000
Ctime : 2016-07-02 03:52:39 +0000 | 2017-10-15 05:29:20 +0000
Linkcount: 14 | 13
Directory: /root
Mtime : 2017-10-14 23:19:57 +0000 | 2017-10-16 06:11:33 +0000
Ctime : 2017-10-14 23:19:57 +0000 | 2017-10-16 06:11:33 +0000
File: /root/.bash_history
Size : 9348 | 7598
Mtime : 2017-10-14 23:19:57 +0000 | 2017-10-16 06:11:33 +0000
Ctime : 2017-10-15 00:05:56 +0000 | 2017-10-16 22:21:59 +0000
MD5 : E4OcT3MUGNhvzzjYhXkr/Q== | T5MxcWy8N/uG5YBi08HSIA==
RMD160 : UkZ5HOvktEseLzo9WX77d8V/3jw= | qLNygBm8ttT4JfJpjR4H8bocFIw=
SHA256 : fi2piRNP2EN5TSZ9BKX4V3DY1T6wKbs0 | FMeXzJauvVMGhj4UnWdqy+F84qLSTcw6
92h7wJF/Ycw= | ftstjg3wkvs=
File: /usr/bin/clamd
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/clamscan
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/freshclam
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/gdk-pixbuf-query-loaders
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/grub-bios-setup
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/grub-probe
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/grub-script-check
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/gtk-query-immodules-2.0
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/gtk-query-immodules-3.0
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/js17
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/js24
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/kdeinit4
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/knotify4
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/make
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:24 +0000
File: /usr/bin/p11-kit
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/python2.7
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/python3.6
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/python3.6m
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/trust
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/bin/vlc
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/chromium/chromium
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/gstreamer-1.0/gst-plugin-scanner
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/p7zip/7z
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/p7zip/7za
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/p7zip/7zr
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/polkit-1/polkitd
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
File: /usr/lib/qt4/bin/designer
Ctime : 2017-10-14 21:50:27 +0000 | 2017-10-16 22:20:25 +0000
---------------------------------------------------And here's my aide.conf in case that's needed:
# Example configuration file for AIDE.
#
@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide
# The location of the database to be read.
database=file:@@{DBDIR}/aide.db.gz
# The location of the database to be written.
#database_out=sql:host:port:database:login_name:passwd:table
#database_out=file:aide.db.new
database_out=file:@@{DBDIR}/aide.db.new.gz
# Whether to gzip the output to database
gzip_dbout=yes
# Default.
verbose=5
report_url=file:@@{LOGDIR}/aide.log
report_url=stdout
#report_url=stderr
#
# Here are all the attributes we can check
#p: permissions
#i: inode
#n: number of links
#l: link name
#u: user
#g: group
#s: size
###b: block count
#m: mtime
#a: atime
#c: ctime
#S: check for growing size
#I: ignore changed filename
#ANF: allow new files
#ARF: allow removed files
#
# Here are all the digests we can use
#md5: md5 checksum
#sha1: sha1 checksum
#sha256: sha256 checksum
#sha512: sha512 checksum
#rmd160: rmd160 checksum
#tiger: tiger checksum
#haval: haval checksum
#crc32: crc32 checksum
#gost: gost checksum
#whirlpool: whirlpool checksum
# These are the default rules
#R: p+i+l+n+u+g+s+m+c+md5
#L: p+i+l+n+u+g
#E: Empty group
#>: Growing logfile p+l+u+g+i+n+S
# You can create custom rules - my home made rule definition goes like this
ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32
#ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger
# Everything but access time (Ie. all changes)
EVERYTHING = R+ALLXTRAHASHES
# Sane, with multiple hashes
# NORMAL = R+rmd160+sha256+whirlpool
NORMAL = R+rmd160+sha256
# For directories, don't bother doing hashes
DIR = p+i+n+u+g+acl+xattrs
# Access control only
PERMS = p+i+u+g+acl
# Logfile are special, in that they often change
LOG = >
# Just do md5 and sha256 hashes
LSPP = R+sha256
# Some files get updated automatically, so the inode/ctime/mtime change
# but we want to know when the data inside them changes
DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger
# Next decide what directories/files you want in the database.
/boot NORMAL
/bin NORMAL
/sbin NORMAL
/lib NORMAL
/lib64 NORMAL
/opt NORMAL
/usr NORMAL
/root NORMAL
# These are too volatile
!/usr/src
!/usr/tmp
# AIDE crashes checking .go files
!/lib/guile/2.2
!/lib/guile/2.0
!/usr/lib/guile/2.2
!/usr/lib/guile/2.0
!/usr/lib/gcc/x86_64-pc-linux-gnu/7.2.0/plugin/include/objc
# Check only permissions, inode, user and group for /etc, but
# cover some important files closely.
/etc PERMS
!/etc/mtab
# Ignore backup files
!/etc/.*~
/etc/exports NORMAL
/etc/fstab NORMAL
/etc/passwd NORMAL
/etc/group NORMAL
/etc/gshadow NORMAL
/etc/shadow NORMAL
/etc/security/opasswd NORMAL
/etc/hosts.allow NORMAL
/etc/hosts.deny NORMAL
/etc/sudoers NORMAL
/etc/skel NORMAL
/etc/logrotate.d NORMAL
/etc/resolv.conf DATAONLY
/etc/nscd.conf NORMAL
/etc/securetty NORMAL
# Shell/X starting files
/etc/profile NORMAL
/etc/bashrc NORMAL
/etc/bash_completion.d/ NORMAL
/etc/login.defs NORMAL
/etc/zprofile NORMAL
/etc/zshrc NORMAL
/etc/zlogin NORMAL
/etc/zlogout NORMAL
/etc/profile.d/ NORMAL
/etc/X11/ NORMAL
# Ignore logs
!/var/lib/pacman/.*
!/var/cache/.*
!/var/log/.*
!/var/run/.*
!/var/spool/.*I can explain away some of those entries because since the init of my AIDE database took place I've removed a whole directory of source code from /opt, tightened my sudoers file, and unmounted /boot - I rarely ever have it mounted during the usual running of my system as it resides on a USB drive. The files in the /usr directory are what really concern me. Now from what I understand of ctime, it changes when file metadata changes (ownership, access rights, inode etc.) however I'm not seeing that any of those have changed concurrently. If any change with it should truly be concerning I'd imagine mtime to signify an underlying file change on disk, but that hasn't changed either.
I haven't run fsck yet, mhash and aide were the last things I installed according to my pacman.log, and to the best of my knowledge the system time has not manually been altered either.
Rkhunter shows nothing out of the ordinary, nor does a clamscan of the /usr folder.
I've been trying to figure this out for the past >24 hours now, and would greatly appreciate being able to put the issue to rest.
Last edited by RickDeckard (2017-10-19 01:47:44)
Offline
#2 2017-10-16 23:12:39
- jasonwryan
- Anarchist
- From: .nz
- Registered: 2009-05-09
- Posts: 30,426
- Website
Re: [SOLVED] AIDE-0.16 says ctimes modded: Malware or false positives?
Please use code, not quote tags: https://wiki.archlinux.org/index.php/Co … s_and_code
Offline
#3 2017-10-16 23:16:26
- RickDeckard
- Member
- From: Acworth, Georgia, USA
- Registered: 2016-02-19
- Posts: 59
Re: [SOLVED] AIDE-0.16 says ctimes modded: Malware or false positives?
Gotcha. Fixed, sorry about that.
Offline
#4 2017-10-19 00:47:43
- RickDeckard
- Member
- From: Acworth, Georgia, USA
- Registered: 2016-02-19
- Posts: 59
Re: [SOLVED] AIDE-0.16 says ctimes modded: Malware or false positives?
I think I've found the answer to my problem. The file ctime coincides with paxd running at boot and applying flags on all the files in question.
I forgot to remove paxd after migrating from linux-grsec. *facepalm*
If doing so removes the ctime warnings, I'll be happy to mark this as solved.
Offline