Single file changed: intrusion or corruption?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Michaël Witrant on Server Fault See other posts from Server Fault or by Michaël Witrant
Published on 2012-10-29T11:07:12Z Indexed on 2012/11/01 11:03 UTC
Read the original article Hit count: 393

Filed under:
|
|
|
|

rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before).

I'm wondering whether this is a file corruption or an intrusion. I guess an intrusion would have changed many other files watched by rkhunter (or none if the intruder had access to rkhunter's database).

I disassembled both binaries with objdump -d and stored the diff here: https://gist.github.com/3972886

The full dump diff generated with objdump -s is here : https://gist.github.com/3972937

I guess a file corruption would have changed either large blocks or single bits, not small blocks like this.

Do these changes look suspicious? How could I investigate more?

The system is running Debian Squeeze.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about debian

Related posts about Corruption

  • help! corrupt file recovery

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    My supervisor computer crashed last night, and I'm trying to help him out. He made an R script but when he tried to open it, it was empty. But for some reason the file is 7.9kb so it should not be empty i think... anyway when i tried to open it, Gedit gave this error: "The file you opened has… >>> More

  • Login screen restarts while entering password

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I am having a problem that only occurred after installing the fglrx proprietary driver through the additional drivers app. The exact same issue is described in this question, however it's closed. Must login twice before entering Unity; first login screen has graphical anomalies When I boot up my… >>> More

  • Delete corrupted folder

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I am trying to delete a folder in my home directory; its name is completely garbled. In Nautilus, the garbled text is followed by 'Invalid Directory.' Deleting it with Nautilus stalls; I can't type in the garbled name in the terminal. peter@io_vbox:~$ ls -lbdR * ... drwxrwxr-x 3 peter peter … >>> More

  • Error while installing netbeans

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    I tried to install NetBeans 7.2 from a downloaded .sh file, but experienced problems. Here's text from the Terminal, which shows what I did and what happened: hridesh@ubuntu:~$ cd Desktop/ hridesh@ubuntu:~/Desktop$ cd full\ netbeans\ 7.2\ for\ linux\ in\ .sh\ format/ hridesh@ubuntu:~/Desktop/full… >>> More

  • How do I fix a corrupted harddrive after failed upgrade?

    as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
    The problem originated when I was trying to fix this problem. Things went horribly, horribly wrong and I ended up with a new problem altogether. The last thing I did was run sudo apt-get install and that caused my system to freeze. I restarted my computer and it would not boot from the harddrive… >>> More

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle