changes in inodes

I have been running fcheck for about 2 months and noticed that the
inode numbers on a number of /usr/bin files has changed. I ran rpm -Va
and this did not show changes and also ran chkrootkit and saw no
problem. I am wondering what could have caused this.
Following is my results from ls -lt --time=ctime. The remaining files
have a ctime of Mar 8th which is what fcheck indicates was the original
ctime on these files.
-rwxr-xr-x 1 root root 74572 May 17 04:05
gnome-session-properties
-rwxr-xr-x 1 root root 64984 May 17 04:05 vncconfig
-rwxr-xr-x 1 root root 60852 May 17 04:05
gnome-accessibility-keyboard-properties
-rwxr-xr-x 1 root root 127716 May 17 04:05 webalizer
-r-xr-xr-x 1 root root 45372 May 17 04:05 berkeley_db41_svc
-rwxr-xr-x 1 root root 30196 May 17 04:05 consolehelper-gtk
-rwxr-xr-x 1 root root 187820 May 17 04:05 srcore
-rwxr-xr-x 1 root root 674896 May 17 04:05 nautilus
-rwxr-xr-x 1 root root 496656 May 17 04:05 gnome-panel
-r-xr-xr-x 1 root root 8868 May 17 04:05 db41_deadlock
-rwxr-xr-x 1 root root 320124 May 17 04:05 file-roller
-rwxr-xr-x 1 root root 91168 May 17 04:05 gdmchooser
-rwxr-xr-x 1 root root 46288 May 17 04:05 gnome-sound-recorder
-rwxr-xr-x 1 root root 25228 May 17 04:05 goad-browser
-rwxr-xr-x 1 root root 19304 May 17 04:05 xidump
-rwxr-xr-x 1 root root 17572 May 17 04:04 bluez-pin
-r-xr-xr-x 1 root root 7824 May 17 04:04 db41_archive
-r-xr-xr-x 1 root root 20424 May 17 04:04 db41_load
-rwxr-xr-x 1 root root 83512 May 17 04:04 gnome-dictionary
-rwxr-xr-x 1 root root 25576 May 17 04:04 gnome-smproxy
-rwxr-xr-x 1 root root 119172 May 17 04:04 yelp
-rwxr-xr-x 1 root root 12212 May 17 04:04
gnome-audio-profiles-properties
-rwxr-xr-x 1 root root 112780 May 17 04:04 gnome-search-tool
-rwxr-xr-x 1 root root 29720 May 17 04:04 metacity-theme-viewer
-rwxr-xr-x 1 root root 117556 May 17 04:04
gnome-keyboard-properties
-rwxr-xr-x 1 root root 163904 May 17 04:04 evolution-2.0
-rwxr-xr-x 1 root root 25108 May 17 04:04 gnome-volume-properties
-rwxr-xr-x 1 root root 113644 May 17 04:04 gnome-keyring-manager
-rwxr-xr-x 1 root root 32768 May 17 04:04 gnome-session-save
-rwxr-xr-x 1 root root 115544 May 17 04:04 gconf-editor
-rwxr-xr-x 1 root root 47520 May 17 04:04 cddb-slave2-properties
-rwxr-xr-x 1 root root 18796 May 17 04:04 gnome-moz-remote
-rwxr-xr-x 1 root root 33968 May 17 04:04 gnome-name-service
-rwxr-xr-x 1 root root 84216 May 17 04:04 gnome-theme-manager
-rwxr-xr-x 1 root root 118776 May 17 04:04 rhgb
-rwxr-xr-x 1 root root 15532 May 17 04:04 krb5-auth-dialog
-rwxr-xr-x 1 root root 66356 May 17 04:04 gnome-desktop-item-edit
-rwxr-xr-x 1 root root 227156 May 17 04:04 gnopernicus
-rwxr-xr-x 1 root root 8688 May 17 04:04 wishx
-rwxr-xr-x 1 root root 65504 May 17 04:04
gnome-keybinding-properties
-rwxr-xr-x 1 root root 25476 May 17 04:04 metacity-window-demo
-rwxr-xr-x 1 root root 26504 May 17 04:04
nautilus-file-management-properties
-rwxr-xr-x 1 root root 12928 May 17 04:04 gucharmap
-r-xr-xr-x 1 root root 10800 May 17 04:04 db41_printlog
-rwxr-xr-x 1 root root 469376 May 17 04:04 gedit
-rwxr-xr-x 1 root root 156816 May 17 04:04 gdmgreeter
-rwxr-xr-x 1 root root 218484 May 17 04:04 oprof_start
-rwxr-xr-x 1 root root 19528 May 17 04:04 gnome-default-printer
-rwxr-xr-x 1 root root 280924 May 17 04:04 gnome-terminal
-rwxr-xr-x 1 root root 16608 May 17 04:04 loadshlib
-rwxr-xr-x 1 root root 44960 May 17 04:04 pam-panel-icon
-rwxr-xr-x 1 root root 7876 May 17 04:04 syndaemon
-r-xr-xr-x 1 root root 9120 May 17 04:04 db41_verify
-rwxr-xr-x 1 root root 78576 May 17 04:04 gnome-sound-properties
-rwxr-xr-x 1 root root 28688 May 17 04:04 gnome-volume-control
-rwxr-xr-x 1 root root 44840 May 17 04:04 gfloppy
-rwxr-xr-x 1 root root 111100 May 17 04:04 ggv
-rwxr-xr-x 1 root root 38600 May 17 04:04 vino-preferences
-rwxr-xr-x 1 root root 231924 May 17 04:04 x0vncserver
-rwxr-xr-x 1 root root 24764 May 17 04:04 gnome-window-properties
-rwxr-xr-x 1 root root 325108 May 17 04:04 gok
-rwxr-xr-x 1 root root 32860 May 17 04:04 gnome-session-remove
-rwxr-xr-x 1 root root 64380 May 17 04:04 gnome-font-properties
-rwxr-xr-x 1 root root 7912 May 17 04:04 gs
-rwxr-xr-x 1 root root 88976 May 17 04:04 nmapfe
-rwxr-xr-x 1 root root 12744 May 17 04:04 xsetwacom
-rwxr-xr-x 1 root root 46508 May 17 04:04 gnome-typing-monitor
-rwxr-xr-x 1 root root 9760 May 17 04:04
gtk-query-immodules-2.0-32
-rwxr-xr-x 1 root root 55512 May 17 04:04 gdmflexiserver
-rwxr-xr-x 1 root root 22668 May 17 04:04 usermount
-rwxr-xr-x 1 root root 5988 May 17 04:04 wish8.4
-rwxr-xr-x 1 root root 63196 May 17 04:04 zenity
-rwxr-xr-x 1 root root 51780 May 17 04:04
gnome-network-preferences
-rwxr-xr-x 1 root root 14732 May 17 04:04 dbus-launch
-rwxr-xr-x 1 root root 36316 May 17 04:04 gnome-about
-rwxr-xr-x 1 root root 54904 May 17 04:04 gnome-at-properties
-rwxr-xr-x 1 root root 359280 May 17 04:04 imlib_config
-rwxr-xr-x 1 root root 8092 May 17 04:04 metacity-message
-rwxr-xr-x 1 root root 36660 May 17 04:04 NetworkManagerInfo
-rwxr-xr-x 1 root root 27824 May 17 04:04 gnome-volume-manager
-rwxr-xr-x 1 root root 62644 May 17 04:04 gnome-keyboard-layout
-rwxr-xr-x 1 root root 40088 May 17 04:04 gnome-theme-thumbnailer
-rwxr-xr-x 1 root root 18828 May 17 04:04
create-branching-keyboard
-rwxr-xr-x 1 root root 31684 May 17 04:04
gnome-display-properties
-rwxr-xr-x 1 root root 14104 May 17 04:04 ktest
-r-xr-xr-x 1 root root 13108 May 17 04:04 db41_dump
-rwxr-xr-x 1 root root 38300 May 17 04:04 gnome-control-center
-rwxr-xr-x 1 root root 478696 May 17 04:04 metacity
-r-xr-xr-x 1 root root 25844 May 17 04:04 db41_stat
-rwxr-xr-x 1 root root 26160 May 17 04:04 gnome-font-viewer
-rwxr-xr-x 1 root root 66368 May 17 04:04 gnome-mouse-properties
-rwxr-xr-x 1 root root 104608 May 17 04:04 gnome-nettool
-rwxr-xr-x 1 root root 23484 May 17 04:04 krb5
-rwxr-xr-x 1 root root 23268 May 17 04:04 gstreamer-properties
-rwxr-xr-x 1 root root 26848 May 17 04:04 rsvg-view
-rwxr-xr-x 1 root root 26620 May 17 04:04 xsri
-rwxr-xr-x 1 root root 36256 May 17 04:04 gnome-panel-screenshot
-rwxr-xr-x 1 root root 71612 May 17 04:04 gdmXnestchooser
-rwxr-xr-x 1 root root 119012 May 17 04:04 gnome-system-monitor
-rwxr-xr-x 1 root root 406100 May 17 04:04 gthumb
-rwxr-xr-x 1 root root 34564 May 17 04:04 userinfo
-rwxr-xr-x 1 root root 12444 May 17 04:04 vftest
-rwxr-xr-x 1 root root 258172 May 17 04:04 xterm
-r-xr-xr-x 1 root root 8964 May 17 04:04 db41_recover
-rwxr-xr-x 1 root root 114000 May 17 04:04 gnome-cd
-rwxr-xr-x 1 root root 100004 May 17 04:04 gpdf
-rwxr-xr-x 1 root root 49272 May 17 04:04
gswitchit-plugins-capplet
-rwxr-xr-x 1 root root 29168 May 17 04:04 userpasswd
-rwxr-xr-x 1 root root 875728 May 17 04:04 gnomemeeting
-rwxr-xr-x 1 root root 9012 May 17 04:04 pango-querymodules-32
-r-xr-xr-x 1 root root 8120 May 17 04:03 db41_upgrade
-rwxr-xr-x 1 root root 18632 May 17 04:03 gpilot-install-file
-rwxr-xr-x 1 root root 43908 May 17 04:03 gdmphotosetup
-rwxr-xr-x 1 root root 14100 May 17 04:03
gnome-pilot-make-password
-rwxr-xr-x 1 root root 127368 May 17 04:03 eggcups
-rwxr-xr-x 1 root root 141532 May 17 04:03 gnome-session
-rwxr-xr-x 1 root root 11584 May 17 04:03 gpilotd-session-wrapper
-rwxr-xr-x 1 root root 132796 May 17 04:03 gcalctool
-r-xr-xr-x 1 root root 9428 May 17 04:03 db41_checkpoint
-rwxr-xr-x 1 root root 50792 May 17 04:03 gnome-ui-properties
-rwxr-xr-x 1 root root 417136 May 17 04:03 xchat
-rwxr-xr-x 1 root root 103840 May 17 04:03 gtk-demo
-rwxr-xr-x 1 root root 61968 May 17 04:03
gnome-default-applications-properties
-rwxr-xr-x 1 root root 98576 May 17 04:03 gpilotd-control-applet
-rwxr-xr-x 1 root root 18464 May 17 04:03 gnome_segv
-rwxr-xr-x 1 root root 49488 May 17 04:03 nautilus-cd-burner
-rwxr-xr-x 1 root root 16832 May 17 04:03 panel-test-applets
-rwxr-xr-x 1 root root 29460 May 17 04:03 themus-theme-applier
-rwxr-xr-x 1 root root 55192 May 17 04:03
gnome-background-properties
-rwxr-xr-x 1 root root 125356 May 17 04:03 gdmlogin
-rwxr-xr-x 1 root root 143648 May 17 04:03 magnifier
-rwxr-xr-x 1 root root 271244 May 17 04:03 eog

<phwashington@comcast.net> wrote in message
news:1147907831.435019.148920@i40g2000cwc.googlegr oups.com...
> I have been running fcheck for about 2 months and noticed that the
> inode numbers on a number of /usr/bin files has changed. I ran rpm -Va
> and this did not show changes and also ran chkrootkit and saw no
> problem. I am wondering what could have caused this.
> Following is my results from ls -lt --time=ctime. The remaining files
> have a ctime of Mar 8th which is what fcheck indicates was the original
> ctime on these files.
> -rwxr-xr-x 1 root root 74572 May 17 04:05
> gnome-session-properties
> -rwxr-xr-x 1 root root 64984 May 17 04:05 vncconfig
> -rwxr-xr-x 1 root root 60852 May 17 04:05
> gnome-accessibility-keyboard-properties
> -rwxr-xr-x 1 root root 127716 May 17 04:05 webalizer
> -r-xr-xr-x 1 root root 45372 May 17 04:05 berkeley_db41_svc
> -rwxr-xr-x 1 root root 30196 May 17 04:05 consolehelper-gtk
> -rwxr-xr-x 1 root root 187820 May 17 04:05 srcore
> -rwxr-xr-x 1 root root 674896 May 17 04:05 nautilus
> -rwxr-xr-x 1 root root 496656 May 17 04:05 gnome-panel
> -r-xr-xr-x 1 root root 8868 May 17 04:05 db41_deadlock

Snipped...

>
>



From wikipedia::inode --
-----------------------------------------------
The POSIX standard mandates filesystem behavior that is strongly influenced
by traditional UNIX filesystems. Regular files are required to have the
following attributes:

The length of the file in bytes.
Device ID (this identifies the device containing the file).
The User ID of the file's owner.
The Group ID of the file.
An inode number that identifies the file within the filesystem.
The file mode, which determines what users can read, write, and execute the
file.
Timestamps telling when the inode itself was last changed (ctime), the file
content last
modified (mtime), and last accessed (atime).
A reference count telling how many hard links point to the inode.
-----------------------------------------------


and wikipedia:: stat()
-----------------------------------------------
Not all fields are supported on all filesystem types. Here are the
meaning of the fields:

0 dev device number of filesystem
1 ino inode number
2 mode file mode (type and permissions)
3 nlink number of (hard) links to the file
4 uid numeric user ID of file's owner
5 gid numeric group ID of file's owner
6 rdev the device identifier (special files only)
7 size total size of file, in bytes
8 atime last access time in Unix time format
9 mtime last modify time in Unix time format
10 ctime inode change time (NOT creation time!) in Unix time format
11 blksize preferred block size for file system I/O
12 blocks actual number of blocks allocated
---------------------------------


from 'man 2 stat' (linux)
-----------------------------------------------
The field st_atime is changed by file accesses, e.g. by execve(2),
mknod(2), pipe(2), utime(2) and read(2) (of more than zero bytes).
Other routines, like mmap(2), may or may not update st_atime.

The field st_mtime is changed by file modifications, e.g. by mknod(2),
truncate(2), utime(2) and write(2) (of more than zero bytes). More-
over, st_mtime of a directory is changed by the creation or deletion of
files in that directory. The st_mtime field is not changed for changes
in owner, group, hard link count, or mode.

The field st_ctime is changed by writing or by setting inode informa-
tion (i.e., owner, group, link count, mode, etc.).
------------------------------------------------


Armed with that information, I would first look into what 'fcheck' is
actually examining, and how ctime is changed in your OS.

'ctime' is a reference to 'change time', and not creation time. Consider
coding up your own stat() parser. I did some time ago with help from

Advanced Programming in the Unix Environment. It took a little work to get
it right, an hour or so, but the result was well worth it.





jcj