To me the same thing happens in Slackware 11.0 I have not investigated the case. But I was the same case, said that the checksum (md5, sha) has changed in some files when they never been reinstated, updated or executed some time.
Greetings On Feb 5, 2008 9:14 AM, hv <[EMAIL PROTECTED]> wrote: > > I'm trying to analyse what caused this change; this was one of about > 20 files reported as changed, but the only one that (as far as I know) > I regularly use. The last software update happened a bit over a week > ago, and resulted in an immediate slew of "checksum changed" warnings, > so I assume ossec didn't check half the files immediately and then > leave the rest to be looked at a week later. > > It is possible the file was patched or replaced by a hacker, I guess, > but I see no other evidence of an intrusion, and I wonder if there may > be some other cause. > > The file was originally installed from the package > xterm-227-1.fc6.i386 on a Fedora Core 6 system. Using readelf to look > at the file before and after a forced reinstall, the modified ELF > file: > - has the same timestamp and permissions > - is 5,720 bytes longer > - has 4 more section headers: > [Nr] Name Type Addr Off Size ES Flg > Lk Inf Al > [ 5] .gnu.liblist GNU_LIBLIST 0804874c 00174c 000190 14 > A 7 0 4 > [ 6] .gnu.conflict RELA 080488dc 0018dc 000aec 0c > A 4 0 4 > [26] .dynbss PROGBITS 08098460 051460 00003c 00 > WA 0 0 32 > [29] .gnu.prelink_undo PROGBITS 00000000 0514ac 000544 > 01 0 0 4 > - the first section listed by readelf (".dynamic") has 4 more entries: > 0x6ffffef9 (GNU_LIBLIST) 0x804874c > 0x6ffffdf7 (GNU_LIBLISTSZ) 400 (bytes) > 0x6ffffef8 (GNU_CONFLICT) 0x80488dc > 0x6ffffdf6 (GNU_CONFLICTSZ) 2796 (bytes) > > I don't know anything about the internals of ELF executables, but > these look vaguely like fixups that *might* happen on a running > system. So my question is: does anyone know of a behaviour on FC6 that > would modify an executable in-place like this? Is there something I > can usefully do to determine a) what changed, and b) what caused the > change? > > Thanks in advance for any suggestions, > > Hugo > -- Ulises U. Cuñé Web: http://www.ulises2k.com.ar