Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Ubuntu 8.04 kernel variation?
January 29, 2009, 4:57 pm
rate this thread
network on a few machines right now that are running Ubuntu 8.04 Desktop
as their primary OS. I've pulled one of these machines out to run some
'forensics' on, and I'm trying to determine whether or not the kernel
itself was compromised (almost certainly in an effort to hide TCP/IP
traffic on a certain port).
The machine that I am running these tests on had been using the 'stock'
kernel that came with the Ubuntu 8.04 Desktop install at the time that
they were set up. This kernel version is vmlinuz-2.6.24-19-generic. I
have run a sha1 hash check against this kernel version as well as a hash
check from the exact same (patch level and all) kernel version on a
'clean' machine. The sha1 hashes differ, and upon closer inspection it
appears that the [probable] dirty kernel version is a few K larger than
the clean one.
What I'm wondering is if there is anything that would have affected this
other than intrusion? As I stated there were no packages added
regarding different kernels; I'm pretty sure that this /boot/vmlinuz*
binary should not change sizes based just on possible module insertion
or anything, too. Can anyone help me confirm that this is indeed a sign
of probable malicious intrusion?
Re: Ubuntu 8.04 kernel variation?
FWIW, here are the files on my Ubuntu system; seems I missed
Ubuntu 8.04.1, kernel 2.6.24-18-generic, 3-JUNE-2008
Ubuntu 8.04.1, kernel 2.6.24-19-generic, 28-AUGUST-2008
Ubuntu 8.04.1, kernel 2.6.24-21-generic, 21-OCTOBER-2008
Ubuntu 8.04.1, kernel 2.6.24-22-generic, 24-NOVEMBER-2008
Ubuntu 8.04.1, kernel 2.6.24-23-generic, 27-NOVEMBER-2008
7455526 2008-06-03 23:20 initrd.img-2.6.24-18-generic
7494286 2008-08-26 19:06 initrd.img-2.6.24-19-generic
7496655 2008-11-06 22:38 initrd.img-2.6.24-21-generic
7493953 2008-12-11 18:10 initrd.img-2.6.24-22-generic
7495372 2009-01-21 18:26 initrd.img-2.6.24-23-generic
1921528 2008-05-28 19:39 vmlinuz-2.6.24-18-generic
1921464 2008-08-20 21:46 vmlinuz-2.6.24-19-generic
1920760 2008-10-21 20:12 vmlinuz-2.6.24-21-generic
1921176 2008-11-24 14:47 vmlinuz-2.6.24-22-generic
1921976 2008-11-27 14:13 vmlinuz-2.6.24-23-generic
- » Re: udp packets going to nntp server after app closed
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security