To me the same thing happens in Slackware 11.0
I have not investigated the case.
But I was the same case, said that the checksum (md5, sha) has changed
in some files when they never been reinstated, updated or executed
some time.
Greetings
On Feb 5, 2008 9:14 AM, hv <[EMAIL PROTECTED]> wrote:
>
> I'm trying to analyse what caused this change; this was one of about
> 20 files reported as changed, but the only one that (as far as I know)
> I regularly use. The last software update happened a bit over a week
> ago, and resulted in an immediate slew of "checksum changed" warnings,
> so I assume ossec didn't check half the files immediately and then
> leave the rest to be looked at a week later.
>
> It is possible the file was patched or replaced by a hacker, I guess,
> but I see no other evidence of an intrusion, and I wonder if there may
> be some other cause.
>
> The file was originally installed from the package
> xterm-227-1.fc6.i386 on a Fedora Core 6 system. Using readelf to look
> at the file before and after a forced reinstall, the modified ELF
> file:
> - has the same timestamp and permissions
> - is 5,720 bytes longer
> - has 4 more section headers:
> [Nr] Name Type Addr Off Size ES Flg
> Lk Inf Al
> [ 5] .gnu.liblist GNU_LIBLIST 0804874c 00174c 000190 14
> A 7 0 4
> [ 6] .gnu.conflict RELA 080488dc 0018dc 000aec 0c
> A 4 0 4
> [26] .dynbss PROGBITS 08098460 051460 00003c 00
> WA 0 0 32
> [29] .gnu.prelink_undo PROGBITS 00000000 0514ac 000544
> 01 0 0 4
> - the first section listed by readelf (".dynamic") has 4 more entries:
> 0x6ffffef9 (GNU_LIBLIST) 0x804874c
> 0x6ffffdf7 (GNU_LIBLISTSZ) 400 (bytes)
> 0x6ffffef8 (GNU_CONFLICT) 0x80488dc
> 0x6ffffdf6 (GNU_CONFLICTSZ) 2796 (bytes)
>
> I don't know anything about the internals of ELF executables, but
> these look vaguely like fixups that *might* happen on a running
> system. So my question is: does anyone know of a behaviour on FC6 that
> would modify an executable in-place like this? Is there something I
> can usefully do to determine a) what changed, and b) what caused the
> change?
>
> Thanks in advance for any suggestions,
>
> Hugo
>
--
Ulises U. Cuñé
Web: http://www.ulises2k.com.ar
