coincidence or rootkit?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi everybody,

out of curiosity, I decided to try OpenSUSE 10.1 (mainly
to check Xen 3, I know there are other distros, but I
decided for once to try this one).

I burned 5 CD, and, upon booting the first CD, asked to
do a "media check" and the OpenSUSE installer gave me
an "invalid md5sum".

Quite surprised, I checked the md5sum of the .iso file
I still had and, surely enough, it was different than
the md5 given by OpenSUSE.

So I re-downloaded, from another system, the CD1, checked
its md5sum and burned it.  This time everything was right.

I decided, however, to check where the mismatch was between
the two .iso of the CD1 I had.

Every files were identical, beside this one:

 $ md5sum /mnt/isogood/suse/i586/kernel-smp-

$ md5sum /mnt/isobad/suse/i586/kernel-smp-

exact same size, but different md5sum.

I tried to "unpack" both archive, with the following command :

 rpm2cpio (rpm_name_here) | cpio -ivd

it worked for the know good rpm file but failed for the other,
with the following message:

 $ rpm2cpio (rpm_name_here) | cpio -ivd
cpio: premature end of file

rpm --checksig also fails on that bad rpm:

$ rpm --checksig /mnt/hda2/bad.rpm
/mnt/hda2/bad.rpm: sha1 MD5 GPG NOT OK

And at that point symtypes- has
the size it should have, but its content differ from
the same file extracted from the correct rpm.  I cannot
"gunzip" that file :

$ gunzip boot/symtypes-

gunzip: boot/symtypes- invalid compressed
data--format violated

So is it just a random glitch that corrupted the file and
resulted in a broken .rpm file?

Is there anything else I could do to try to see what happened
to that (corruct or rooted) rpm ?

I was thinking that maybe one of my system could be "rooted" and
that some attacker (maybe automated) modified the .iso (I left the
5 OpenSUSE iso files for a few days on the computer before burning
them).  Though this may be a little bit far fetched.

Thanks for any thoughts,


Re: coincidence or rootkit? (06-09-23 17:33:56):

Quoted text here. Click to load it

Could you provide the URL to the broken ISO file?  And ideally provide a
URL to the correct file, too.


Re: coincidence or rootkit?


sorry for the long delay...

Ertugrul Soeylemez wrote:
Quoted text here. Click to load it

I don't remember on which European server I downloaded
the iso, but I can give a link to the single rpm file that differs
between the two versions...

Here's a link to the correct file:

md5sum /home/public/dl/kernel-smp-
e5577626d5a6effb0eb8bc95c77a3369   (md5sum of correct file)

Here's a link to the bogus .rpm file (it's the only file from the
whole CD that differs from the good CD) :

md5sum /home/public/dl/kernel-smp-
8e0c75e258ee41e1950763d95cfc5008 (md5sum of bogus file)

Once again as that happened to some kernel file I was wondering if
it was just a random error (where's the ECC memory when you need it ;)
or if it was something nastier...

thanks for the answers,


Re: coincidence or rootkit?

On 23 Sep 2006 17:33:56 -0700, wrote:

Quoted text here. Click to load it

So you got a bit-flip on download, it happens...

-- /

Site Timeline