Does the on-disk image of an executable ever change?
Alan Johnson
alan at datdec.com
Wed Nov 4 19:19:36 EST 2009
On Wed, Nov 4, 2009 at 4:56 PM, Michael ODonnell <
michael.odonnell at comcast.net> wrote:
> ...so that system seems to have suffered disk corruption or compromise;
> I'm assuming the former given the large number of affected files but I
> guess I can't rule out the latter.
>
Of course, if it is the latter, you can't trust any of your binaries,
including rpm or md5sum, but there's no reason they would hack those things
but not hide their tracks. Could just be the hack is not that slick.
To confirm the former, check /var/log/messages for any patters of the block
devices behind the partitions holding the files in question and look for
corruption related errors. e.g.
zgrep -E 'sda|hdb|md0' /var/log/messages*
Just modifiy the list of patters to work for you physical devices. If your
drives support SMART, also check their status. e.g.:
smartctl -a /dev/sda
Repeat for each relevant physical block device. Again, all of these could
be faked if you were hacked, but I don't think it would be in the interest
of a hacker to make it appear as if you had disk corruption... unless they
were just messing with you. =)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20091104/f8b681d0/attachment.html
More information about the gnhlug-discuss
mailing list