For the binary experts.
I have a situation here. Something hideously but continuously is modifying the /bin/ executables as common as coreutils and net-tools. I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I moved the file somewhere else to cross bisect it.
I did a hexdump on original ls file and the modified file, and there was some 700 lines of hex code additional in the modified file. Then I set a cron to check and do md5sum on all system files and after half an hour, I go a report back. Files modified.
This time when checked the hex dump of newly and earlier modified files, they were the same. Exact same!
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
-Micky.
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Boot from a CD to check the checksums or run rpm if you want a clean environment.
Jeremy
Jeremy Sanders wrote:
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Any comments or thoughts from the list as to the benefit of prelink? does the system performance change if this is disabled? It causes issues with aide also.
Boot from a CD to check the checksums or run rpm if you want a clean environment.
Jeremy
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
So apparently prelink was running. I disabled it in /etc/sysconfig/prelink and ran 'prelink -ua' to undo the linking.
I just stumbled upon a document (attached) describing how Linux used to have a.out http://en.wikipedia.org/wiki/A.out and now the ELF.
Though I never knew that prelink actually modifies the files and thought of it as a cache library or something. Literally modifies!!
So, I assume the problem is solved as ls seems to have reverted back but if not then it may be an LKM kit :|
On Mon, Sep 26, 2011 at 6:29 AM, Rob Kampen rkampen@kampensonline.comwrote:
Jeremy Sanders wrote:
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Any comments or thoughts from the list as to the benefit of prelink? does the system performance change if this is disabled? It causes issues with aide also.
Boot from a CD to check the checksums or run rpm if you want a clean
environment.
Jeremy
______________________________**_________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/**mailman/listinfo/centoshttp://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Jeremy Sanders wrote:
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Boot from a CD to check the checksums or run rpm if you want a clean environment.
Don't really know about prelink, but I strongly agree with the last suggestion: boot from a CD, or USB key, or something *other* than your hard drive - your comments strongly suggest that you've been infected. You *do* have backups of your configuration and data (and home directories, etc)? If so, you might want to do a reinstall without formatting... and then, and only then, rerun grub-install.
mark
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink!
To the guys using prelink and having experience with it. So I did a further study and found out that it possesses some issues.
First it doesn't randomly address the data making applications prone to perl security attacks. Secondly, it way of keeping track of address maps is awkward which becomes a few weeks older till it gets updated. Thirdly, its 'a very old styled' application. It was written back in 90's when computers were slow to make them fast. But with today's extraneous processing age, its effects are long vanishing. Lastly, I see a lot of people remove it in post installation process. Many claim it sucks as it creates more problems than what it is supposed to do.
As I occasionally do a minimal install so I am not sure how it got installed on this very box. Seems like 'yum update' or the kickstart did it. But anyhow I disabled it already and I am gonna benchmark the system for performance; needless to day, it will be removed from my desk.
It did pop like a jack in a box :P!
On Mon, Sep 26, 2011 at 7:11 AM, m.roth@5-cent.us wrote:
Jeremy Sanders wrote:
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Boot from a CD to check the checksums or run rpm if you want a clean environment.
Don't really know about prelink, but I strongly agree with the last suggestion: boot from a CD, or USB key, or something *other* than your hard drive - your comments strongly suggest that you've been infected. You *do* have backups of your configuration and data (and home directories, etc)? If so, you might want to do a reinstall without formatting... and then, and only then, rerun grub-install.
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Micky L Martin wrote:
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink!
Think you got the name wrong - I'm Jeremy. You're replying to Mark. I agree reformatting is premature.
Jeremy Sanders wrote:
Micky L Martin wrote:
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink!
Think you got the name wrong - I'm Jeremy. You're replying to Mark. I agree reformatting is premature.
Oh, I was *not* recommending reformatting; you can install over, without reformatting, though it always says that it's not recommended.
mark
On Mon, Sep 26, 2011 at 9:27 AM, Micky L Martin mickylmartin@gmail.com wrote:
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink!
rpm -Va should show you all the files that have changed since being installed (via rpm or yum...). And it should know about prelink.
-
Jeremy Sanders -
Les Mikesell -
m.roth@5-cent.us -
Micky L Martin -
Rob Kampen