OS CentOS-6.2 with updates to present.
I use git on this host to manage configuration changes and to monitor package alterations. This is not meant to be a security check. It is simply a way for me to easily recover from fumble fingered configuration changes.
Yesterday git status reported that the following files had changed since the previous commit:
# modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim
I therefore reinstalled these three packages using yum reinstall and committed the change to git.
commit b87a8b2116ef22cc013fd5dc6f525d672d52570a Author: sysadmin.root.vhost01.hamilton <sysadmin.root.vhost01.hamilton@harte-lyn Date: Tue Jul 3 16:22:34 2012 -0400
Reinstalled gdb, vim and vim-X11 due to unexpected changes in executable files.
This morning git reports the same three files have again changed.
# On branch master # Changed but not updated: # (use "git add <file>..." to update what will be committed) # (use "git checkout -- <file>..." to discard changes in working directory) # # modified: ../etc/virsh.run # modified: .Xauthority # modified: .bash_history # modified: ../selinux/policy # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim # # Untracked files: # (use "git add <file>..." to include in what will be committed) # # ../.readahead_collect
When I check the differences git simply reports that the binary files are difference but, after I reinstalled them all yesterday I noted that the file modification times of the replaced files and their respective reinstalled files were the same but their file sizes were not.
Given what I have committed to the git repository I am satisfied that these are the only system files that have changed. None of the files in /var/log show any entries relating to these files immediately prior to the reinstall yesterday. What entries do exist go back to when the software was first installed and none are more recent than several months ago. The git commit on this host previous to yesterday was the Kernel update on June 19. At that time the subject files were the same as when they were originally installed.
This host does not accept any direct IP connections from IP addresses outside our internal server subnet (a.b.c.0/192). Access is blocked via IPTables at the gateway and again on the host itself. Some VM guests do allow public or otherwise less restricted access but the VM host itself does not.
I am of course deeply suspicious of these circumstances but I cannot see how this could be the result of some outside agency. Therefore, I am at a loss to explain these changes. What I need to discover is what agency changed these files and why. In the meantime I have removed the gdb, vim-enhanced and vim-X11 packages from that host.
Has anyone else run across this sort of behaviour? Has anyone any idea as to what is going on here?
From: James B. Byrne byrnejb@harte-lyne.ca
Yesterday git status reported that the following files had changed since the previous commit: # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim
# modified: ../etc/virsh.run # modified: .Xauthority # modified: .bash_history # modified: ../selinux/policy # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim # When I check the differences git simply reports that the binary files are difference but, after I reinstalled them all yesterday I noted that the file modification times of the replaced files and their respective reinstalled files were the same but their file sizes were not.
Did you rpm verify? # rpm -qV vim-enhanced # rpm -qV gdb Did you diff the text files? Did you "binary diff" the binaries? How many bytes difference? constant number?
JD
On Wed, Jul 04, 2012 at 07:53:09AM -0700, John Doe wrote:
From: James B. Byrne byrnejb@harte-lyne.ca
Yesterday git status reported that the following files had changed since the previous commit: # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim
# modified: ../etc/virsh.run # modified: .Xauthority # modified: .bash_history # modified: ../selinux/policy # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim # When I check the differences git simply reports that the binary files are difference but, after I reinstalled them all yesterday I noted that the file modification times of the replaced files and their respective reinstalled files were the same but their file sizes were not.
Did you rpm verify? # rpm -qV vim-enhanced # rpm -qV gdb Did you diff the text files? Did you "binary diff" the binaries? How many bytes difference? constant number?
JD
prelink???
From: fred smith fredex@fcshome.stoneham.ma.us
On Wed, Jul 04, 2012 at 07:53:09AM -0700, John Doe wrote:
From: James B. Byrne byrnejb@harte-lyne.ca
Yesterday git status reported that the following files had changed since the previous commit: # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim
# modified: ../etc/virsh.run # modified: .Xauthority # modified: .bash_history # modified: ../selinux/policy # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim # When I check the differences git simply reports that the binary files are difference but, after I reinstalled them all yesterday I noted that the file modification times of the replaced files and their respective reinstalled files were the same but their file sizes were not.
Did you rpm verify? # rpm -qV vim-enhanced # rpm -qV gdb Did you diff the text files? Did you "binary diff" the binaries? How many bytes difference? constant number?
prelink???
I do not think prelink would alter text configuration files like .Xauthority or .bash_history
JD
On 07/05/2012 03:51 AM, John Doe wrote:
From: fred smithfredex@fcshome.stoneham.ma.us
On Wed, Jul 04, 2012 at 07:53:09AM -0700, John Doe wrote:
From: James B. Byrnebyrnejb@harte-lyne.ca
Yesterday git status reported that the following files had changed since the previous commit: # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim
# modified: ../etc/virsh.run # modified: .Xauthority # modified: .bash_history # modified: ../selinux/policy # modified: ../usr/bin/gdb # modified: ../usr/bin/gvim # modified: ../usr/bin/vim # When I check the differences git simply reports that the binary files are difference but, after I reinstalled them all yesterday I noted that the file modification times of the replaced files and their respective reinstalled files were the same but their file sizes were not.
Did you rpm verify? # rpm -qV vim-enhanced # rpm -qV gdb Did you diff the text files? Did you "binary diff" the binaries? How many bytes difference? constant number?
prelink???
I do not think prelink would alter text configuration files like .Xauthority or .bash_history
No - the simple act of logging in did that - my vote is for prelink - git is probably unaware of prelink.
JD
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
fred smith -
James B. Byrne -
John Doe -
Rob Kampen