Single file changed: intrusion or corruption?

on

Michaël Witrant asked:

rkhunter reported a single file change on a virtual server (netstat binary). It didn’t report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before).

I’m wondering whether this is a file corruption or an intrusion. I guess an intrusion would have changed many other files watched by rkhunter (or none if the intruder had access to rkhunter’s database).

I disassembled both binaries with objdump -d and stored the diff here: https://gist.github.com/3972886

The full dump diff generated with objdump -s is here : https://gist.github.com/3972937

I guess a file corruption would have changed either large blocks or single bits, not small blocks like this.

Do these changes look suspicious? How could I investigate more?

The system is running Debian Squeeze.

My answer:

I spot checked a few of those, and they all appear to be single-bit errors. At this point I’d consider replacing the hard drive, using RAID/ZFS, etc.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

Related Post

How does ZFS snapshots work and how would I implement a retention policy similar to OpenSolaris'?

Installing CentOS 6.3 wrong hard drives order?

Multiples ip address on interface. I want to specify one of them for output

Rsync Remote to Remote

Linux daemon accounts and kerberos

Error running MySQL Daemon