Discussion:
[Aide] AIDE and Wordpress? Constant wp-content changes? Is it normal?
Alex Morin-Sénécal
2015-05-01 04:33:04 UTC
Permalink
Hi,

I'm using AIDE to check on old Wordpress installation that doesn't get new
content added. There was a advertisement script added to the header of one
of our sites at some point, so we wanted to use AIDE to know when something
like this happens, because a lot of Wordpress sites are hit by 0 day
exploits, so it's inevitable something like this will happen again at some
point, and we want to know when it will happen and act on it.

Anyways, I'm using the NORMAL rules for these sites, which might not be
ideal? The log is a little strange. Well, perhaps not strange, but can
someone explain this behavior?:

Directory: /home/company/site.com/wp-content/themes
<http://brownstoneplayhouse.com/wp-content/themes>
Mtime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43
Ctime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43

Directory: /home/company/site.org/wp-content/plugins
<http://fondationfabiennecolas.org/wp-content/plugins>
Mtime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15
Ctime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15

I'm getting a lot of these for the various sites we host and it's always in
wp-content, the themes or plugins folder. So practically, something
changed, but what?

I suppose this is normal behavior and it's probably a side effect of
Wordpress checking for updates or just doing something for one reason or
another?

I'm just wondering if this is normal and if there's nothing to worry about.
Better be safe than sorry.

Thanks
Keith Constable
2015-05-01 13:56:32 UTC
Permalink
Post by Alex Morin-Sénécal
Hi,
I'm using AIDE to check on old Wordpress installation that doesn't get new
content added. There was a advertisement script added to the header of one
of our sites at some point, so we wanted to use AIDE to know when something
like this happens, because a lot of Wordpress sites are hit by 0 day
exploits, so it's inevitable something like this will happen again at some
point, and we want to know when it will happen and act on it.
Anyways, I'm using the NORMAL rules for these sites, which might not be
ideal? The log is a little strange. Well, perhaps not strange, but can
Directory: /home/company/site.com/wp-content/themes
<http://brownstoneplayhouse.com/wp-content/themes>
Mtime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43
Ctime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43
Directory: /home/company/site.org/wp-content/plugins
<http://fondationfabiennecolas.org/wp-content/plugins>
Mtime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15
Ctime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15
I'm getting a lot of these for the various sites we host and it's always
in wp-content, the themes or plugins folder. So practically, something
changed, but what?
I suppose this is normal behavior and it's probably a side effect of
Wordpress checking for updates or just doing something for one reason or
another?
I'm just wondering if this is normal and if there's nothing to worry
about. Better be safe than sorry.
Thanks
Can you try to describe the problem more specifically? Is the problem that
the ctime and mtime of directories is changing, but there are no changes to
the content of the directory?

Bear in mind that Wordpress has automatic update features, so some
unexpected changes may occur.

Regards,

Keith Constable
Alex Morin-Sénécal
2015-05-01 14:43:20 UTC
Permalink
"Is the problem that the ctime and mtime of directories is changing, but
there are no changes to the content of the directory?"

Pretty much. As I said, I'm aware that it miiight just be Wordpress update
checking doing this but I just wanted to be sure and get a confirmation
from someone a little more experienced on the subject.

Thanks
Post by Keith Constable
Post by Alex Morin-Sénécal
Hi,
I'm using AIDE to check on old Wordpress installation that doesn't get
new content added. There was a advertisement script added to the header of
one of our sites at some point, so we wanted to use AIDE to know when
something like this happens, because a lot of Wordpress sites are hit by 0
day exploits, so it's inevitable something like this will happen again at
some point, and we want to know when it will happen and act on it.
Anyways, I'm using the NORMAL rules for these sites, which might not be
ideal? The log is a little strange. Well, perhaps not strange, but can
Directory: /home/company/site.com/wp-content/themes
<http://brownstoneplayhouse.com/wp-content/themes>
Mtime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43
Ctime : 2015-04-30 04:01:27 , 2015-04-30 15:55:43
Directory: /home/company/site.org/wp-content/plugins
<http://fondationfabiennecolas.org/wp-content/plugins>
Mtime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15
Ctime : 2015-04-28 10:14:47 , 2015-04-30 17:27:15
I'm getting a lot of these for the various sites we host and it's always
in wp-content, the themes or plugins folder. So practically, something
changed, but what?
I suppose this is normal behavior and it's probably a side effect of
Wordpress checking for updates or just doing something for one reason or
another?
I'm just wondering if this is normal and if there's nothing to worry
about. Better be safe than sorry.
Thanks
Can you try to describe the problem more specifically? Is the problem that
the ctime and mtime of directories is changing, but there are no changes to
the content of the directory?
Bear in mind that Wordpress has automatic update features, so some
unexpected changes may occur.
Regards,
Keith Constable
_______________________________________________
Aide mailing list
https://mailman.cs.tut.fi/mailman/listinfo/aide
Loading...