Single file changed: intrusion or corruption?
Posted
by
Michaël Witrant
on Server Fault
See other posts from Server Fault
or by Michaël Witrant
Published on 2012-10-29T11:07:12Z
Indexed on
2012/11/01
11:03 UTC
Read the original article
Hit count: 398
rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before).
I'm wondering whether this is a file corruption or an intrusion. I guess an intrusion would have changed many other files watched by rkhunter (or none if the intruder had access to rkhunter's database).
I disassembled both binaries with objdump -d
and stored the diff here: https://gist.github.com/3972886
The full dump diff generated with objdump -s
is here : https://gist.github.com/3972937
I guess a file corruption would have changed either large blocks or single bits, not small blocks like this.
Do these changes look suspicious? How could I investigate more?
The system is running Debian Squeeze.
© Server Fault or respective owner