Something changed my files times

[newhelpeeps]

Does anyone know what process could've automatically ran that would've made these changes? I am fairly sure it was not an intruder since only one port to the outside is even open., but what would've been running for 6 minutes or so that might've made these changes? I was thinking some kind of disk check maybe?

Directory: /usr/bin
Mtime : 2009-02-03 04:03:40 , 2009-02-04 05:34:32
Ctime : 2009-02-03 04:03:40 , 2009-02-04 05:34:32

Directory: /usr/sbin
Mtime : 2009-02-04 04:02:51 , 2009-02-04 05:34:32
Ctime : 2009-02-04 04:02:51 , 2009-02-04 05:34:32

Directory: /root
Mtime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58
Ctime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58

Directory: /root/.gconfd
Mtime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58
Ctime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58

File: /root/.gconfd/saved_state
Mtime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58
Ctime : 2009-02-01 06:42:15 , 2009-02-04 05:40:58
Inode : 139292 , 139458
MD5 : 4GBNxlETFZY2CLLMsr7l1g== , 3kTpPy6beLFUIWZR8++NUw==
SHA1 : kK2PvexoXay0b1M1XMYR2ruApdo= , 2GVI5SJsATMJgzIFtAja2mq5sHw=
SELinux : system_u:object_r:admin_home_t:s0, unconfined_u:object_r:admin_home_t:s0

File: /root/.dbus/session-bus/1b43bda05be47e30791f82ae496b858c-2
Size : 467 , 46
Mtime : 2009-02-01 06:14:16 , 2009-02-04 05:30:02
Ctime : 2009-02-01 06:14:16 , 2009-02-04 05:30:02
MD5 : FiLMsDY/CzHTYCkdopOe/g== , w17IhLdv2XD1Umik4IPL9w==
SHA1 : vbVuK7SE0CbAflc5FbLTd3vDzi4= , DXTvd3mJ7oE1auxdEPmP0qupBP0=


Directory: /root/.gconf
Mtime : 2009-02-01 06:14:16 , 2009-02-04 05:30:02
Ctime : 2009-02-01 06:14:16 , 2009-02-04 05:30:02

Directory: /bin
Mtime : 2009-02-01 06:17:47 , 2009-02-04 05:34:32
Ctime : 2009-02-01 06:17:47 , 2009-02-04 05:34:32

Directory: /sbin
Mtime : 2009-02-03 04:03:21 , 2009-02-04 05:34:32
Ctime : 2009-02-03 04:03:21 , 2009-02-04 05:34:32

Directory: /lib
Mtime : 2009-02-03 04:02:57 , 2009-02-04 05:34:21
Ctime : 2009-02-03 04:02:57 , 2009-02-04 05:34:21

Directory: /lib/udev
Mtime : 2009-02-03 04:03:38 , 2009-02-04 05:34:28
Ctime : 2009-02-03 04:03:38 , 2009-02-04 05:34:28

Directory: /lib/security
Mtime : 2009-02-01 06:17:42 , 2009-02-04 05:34:27
Ctime : 2009-02-01 06:17:42 , 2009-02-04 05:34:27

[marko]

mlocate

/etc/cron.daily/mlocate.cron

[newhelpeeps]

Reviewing my history, I did edit my.cnf and main.ch or whatever the postfix config is, but I have not logged into X windows with root ever, I assume .gconfd thing has something to do with gnome, why is that changing?

[newhelpeeps]

It looks like the system rebooted around this time.

Feb 4 05:27:48 pulseaudio[5726]: polkit.c: Cannot set UID on session object.
Feb 4 05:27:48 pulseaudio[5726]: main.c: Called SUID root and real-time and/or high-priority scheduling was requested in the configuration. Ho$
Feb 4 05:27:48 pulseaudio[5726]: main.c: We are not in group 'pulse-rt', PolicyKit refuse to grant us the requested privileges and we have no $
Feb 4 05:27:48 pulseaudio[5726]: main.c: For enabling real-time/high-priority scheduling please acquire the appropriate PolicyKit privileges, $
Feb 4 05:27:50 pulseaudio[5862]: pid.c: Daemon already running.
Feb 4 05:40:55 init: tty4 main process (2201) killed by TERM signal
Feb 4 05:40:55 tty5 main process (2202) killed by TERM signal

Aparently I must have rebooted the server, but I still wonder why those directories and files were changed on rebooting.

[newhelpeeps]

I hate crap like this, fedora has something running by default that is changing my files and screwing up the IDS. Crapload of files were changed within two minutes last night too. Something called prelink apparently ran during this time, maybe that was it

[Hlingler]

Prelink is automatic, has always been there, and I frequently see it modifying stuff that's flagged by AFICK and other checkers, including RPM's verify function. I would not recommend disabling it. So far, for me, the effect is annoying but harmless.

V

[newhelpeeps]

I moved it to a different spot in the cron folders. It now runs weekly right after yum updates. I don't want this thing running daily or I'll never have time to verify all the files changes the IDS points out. I really don't understand why this prelink thing is changing my file times, lol, seems a bit unneeded but I'm willing to put up with it on a weekly basis I guess

[newhelpeeps]

Grrrr.... I wonder if this thing might screw up my differential backups too. It's outta here, lol, I don't even use X (this thing is a webserver) so Im not sure I need libraries preloaded into memory anyway. I can see why a desktop system might leave it running but for a server this seems unacceptable.

[Hlingler]

Well, prelink modifies executables and libs to speed up loading by (this is my casual understanding) embedding info (memory locations?) in them: pre-linking. So, those files are modified, and therefore flagged by any file integrity checker or similar. Biggest hits seem to occur on the next run after (no surprise) package updates (new files=new prelinking). Your solution seems to be a reasonable compromise. Quite frankly, I wish there was a way to suppress this, but it seems to be a simple choice: either speed or file integrity.

V

[newhelpeeps]

Ya I saved the prelink script so I can run it manually after updating my system as I also noticed it seems to do the most modifications following updates (this is really the only time my binaries change as I don't install new programs really).