Strange changes - any ideas? (2) (in Bugtraq Digest 9 Jun 1996)

[ishikawa () personal-media co jp (Chiaki Ishikawa)]

PMC e-mail id: 4524

I saw somethng similar on one of my hosts.

> What it sounds like to me is that your memory was corrupted.  Probably no ECC
> on that machine, or perhaps not even any parity (for what little that is
> worth)

The machine is Sparc IPC (or was it IPX?).
As far as I could tell, the machine was OK.

There are minor (and major) differences, though:

 - I used Tripwire.

 - In my case, the content of the files was OK. They didn't change.
   Only the mod time, etc. was changed.
   In some cases, the i-node number was changed.

After scratching my hair for a while,
I figured out that the during the initialization of the databse and
the particular run of Tripwire that showed these discrepancies, the
system crashed and rebooted, and
I assumed that the files in question are touched by fsck or
some kind of i-node shuffling that occurred due to
fsck that took place during the atuomatic reboot.

To make sure they are not really changed, I compared some of the files
to archive files and they matched the old version.

Any other opinions on these observations are welcome.

Tripwire is very good in picking up changes in system-related files
which other sysadmins did in haste and forget to tell others.
Highly recommended.

--
     Ishikawa, Chiaki           ishikawa () personal-media co jp
 (family name, given name)
    Personal Media Corp.
  Shinagawa, Tokyo, Japan 142