Angriff auf Server?

[evilox]

Hallo rkhunter hat mir folgende Meldung gegeben:

Code: Select all

Warning: The file properties have changed:
        File: /bin/ip
        Current inode: 236173    Stored inode: 236209
        Current file modification time: 1215618519
        Stored file modification time : 1207985171
Warning: The file properties have changed:
        File: /bin/kill
        Current hash: 5f85ce91eafbd85f79441f71ecad0f0db722c1bf
        Stored hash : 18e7cde8dfbeac32608ae47f857d2b168cfc72cb
        Current inode: 236209    Stored inode: 236211
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /bin/ps
        Current hash: 62c7d1839f644c5dfb6179015e7e3017ac6a6afa
        Stored hash : 7cbcd8aa6df2ffbfbe783ae7fe7d1ea5a790ed81
        Current inode: 236228    Stored inode: 236232
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /usr/bin/top
        Current hash: 44a0ffadc915dbfee905ddf267eec4d4a00ddc0a
        Stored hash : 2bdb1ac9ff1361716edf86da5946e7bd3facd39e
        Current inode: 315224    Stored inode: 315291
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /usr/bin/vmstat
        Current hash: d1cd4f460631b3da1d1591d21cce213fff21bfcf
        Stored hash : 202013298ba7b465c485db690c81b51a094b2484
        Current inode: 315225    Stored inode: 315318
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /usr/bin/w
        Current hash: fb2819df7d1c7a261311a105100fcae1333b71e7
        Stored hash : 1afb9e68b386be6926900bf05585f9d8fff4ecf2
Warning: The file properties have changed:
        File: /usr/bin/watch
        Current hash: 11794147771ea0c82010a929013d620ab555f067
        Stored hash : 4c674887699b7866e1325b190bcf40183e439b5d
        Current inode: 315557    Stored inode: 315322
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /usr/bin/w.procps
        Current hash: fb2819df7d1c7a261311a105100fcae1333b71e7
        Stored hash : 1afb9e68b386be6926900bf05585f9d8fff4ecf2
        Current inode: 315563    Stored inode: 315321
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The file properties have changed:
        File: /sbin/ip
        Current inode: 47548    Stored inode: 47238
        Current file modification time: 1217979657
        Stored file modification time : 1216198347
Warning: The file properties have changed:
        File: /sbin/sysctl
        Current hash: 766ec5bbeaff6678203d5e78b2b173a5026c8870
        Stored hash : d212033ab99f586e64725af5770d0eaeed172ffe
        Current inode: 47238    Stored inode: 47350
        Current file modification time: 1215682114
        Stored file modification time : 1205447087
Warning: The modules file '/proc/modules' is missing.
Warning: The kernel module directory '/lib/modules/2.6.24.5-grsec-xxxx-grs-ipv4-32' is missing.
Warning: Hidden directory found: /dev/.udev
Warning: Hidden directory found: /dev/.static
Warning: Hidden directory found: /dev/.static/dev/.initramfs
Warning: Hidden directory found: /dev/.static/dev/.static
Warning: Hidden directory found: /dev/.static/dev/.udev

Wurde mein Server kompromittiert? Oder kann das vom Update kommen?

[Roger Wilco]

Wurde mein Server kompromittiert? Oder kann das vom Update kommen?

Beides ist möglich. Du solltest die beanstandeten Dateien mit denen der offiziellen Distributionspakete vergleichen. Die meisten Paketmanager bieten hierfür Automatismen an.

[evilox]

Das ist eine gute Idee, warum bin ich da nicht selbst drauf gekommen...? ;)