Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- coincidence or rootkit?
September 24, 2006, 12:33 am
rate this thread
out of curiosity, I decided to try OpenSUSE 10.1 (mainly
to check Xen 3, I know there are other distros, but I
decided for once to try this one).
I burned 5 CD, and, upon booting the first CD, asked to
do a "media check" and the OpenSUSE installer gave me
an "invalid md5sum".
Quite surprised, I checked the md5sum of the .iso file
I still had and, surely enough, it was different than
the md5 given by OpenSUSE.
So I re-downloaded, from another system, the CD1, checked
its md5sum and burned it. This time everything was right.
I decided, however, to check where the mismatch was between
the two .iso of the CD1 I had.
Every files were identical, beside this one:
$ md5sum /mnt/isogood/suse/i586/kernel-smp-18.104.22.168-4.i586.rpm
$ md5sum /mnt/isobad/suse/i586/kernel-smp-22.214.171.124-4.i586.rpm
exact same size, but different md5sum.
I tried to "unpack" both archive, with the following command :
rpm2cpio (rpm_name_here) | cpio -ivd
it worked for the know good rpm file but failed for the other,
with the following message:
$ rpm2cpio (rpm_name_here) | cpio -ivd
cpio: premature end of file
rpm --checksig also fails on that bad rpm:
$ rpm --checksig /mnt/hda2/bad.rpm
/mnt/hda2/bad.rpm: sha1 MD5 GPG NOT OK
And at that point symtypes-126.96.36.199-4-smp.gz has
the size it should have, but its content differ from
the same file extracted from the correct rpm. I cannot
"gunzip" that file :
$ gunzip boot/symtypes-188.8.131.52-4-smp.gz
gunzip: boot/symtypes-184.108.40.206-4-smp.gz: invalid compressed
So is it just a random glitch that corrupted the file and
resulted in a broken .rpm file?
Is there anything else I could do to try to see what happened
to that (corruct or rooted) rpm ?
I was thinking that maybe one of my system could be "rooted" and
that some attacker (maybe automated) modified the .iso (I left the
5 OpenSUSE iso files for a few days on the computer before burning
them). Though this may be a little bit far fetched.
Thanks for any thoughts,
- Ertugrul Soeylemez
September 24, 2006, 1:25 am
Re: coincidence or rootkit?
sorry for the long delay...
Ertugrul Soeylemez wrote:
I don't remember on which European server I downloaded
the iso, but I can give a link to the single rpm file that differs
between the two versions...
Here's a link to the correct file:
e5577626d5a6effb0eb8bc95c77a3369 (md5sum of correct file)
Here's a link to the bogus .rpm file (it's the only file from the
whole CD that differs from the good CD) :
8e0c75e258ee41e1950763d95cfc5008 (md5sum of bogus file)
Once again as that happened to some kernel file I was wondering if
it was just a random error (where's the ECC memory when you need it ;)
or if it was something nastier...
thanks for the answers,
- » CPanel Vulnerability Wreaks Havoc with Sites on HostGator
- — Next thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security