Am 09.05.22 um 13:34 schrieb t...@vandradlabs.com.au:
On 2022-05-09 18:04, Elmar Stellnberger wrote:
Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:
5. have we eliminated other causes of file mismatch - bad/incomplete
updates, corrupted HDD, bad RAM, user error ?
If exactly such files have been changed where there is reason to
manipulate them for a rootkit then one shall assume unequivocally that
there is a rootkit installed. With bad RAM you get a system crash and
with a physically bad hard disk you get filesystem errors on fsck,
Yes, bad cache ram written on a hard disk can at least by theory
result in corrupted files on disk. If you read what I have written then
you see my argument that then the whole program would have become
unusable which is not the case for our example. Also I want to add that
bad ram just causing file corruptions but no crash is somewhat very
unlikely.
Not always true. I have experienced what looked like creeping file
system corruption that was
in the end tracked down to bad RAM. it only occred under heavy load when
RAM was over-utilised
and then swapped out.
As said, I don´t really believe on what you tell here. By theory
non-ECC ram can have errors, but these are very rare. Damaged ram on the
other hand is damaged independent of the system load and it usually
causes more severe/obvious effects. The probability that a corrupt ram
block affects only block data but no kernel data structures is not that
high as these tend to be interleaved.
none of which you get with a rootkit where only certain files have
been manipulated intentionally. A broken update could theoretically
result in a singleton file of half the size. Usually running programs
again I have seen bad/partial
An update can only leave a partial file that is a prefix of an
original file, never a corrupted one. That is, if you read, what I have
told. All modern Linux filesystems use journalling and there will be no
corruption like eventually on old Windows machines.
> I would want to see more info9rmationa botu what diagnostics were
> done before I cry rootkit.
>
You are one of the people who want to tell people that they are not
infected by a rootkit, when they obviously are. My recommendation for
everyone is, care not to trust such people!
Besides this I have requested Sylvain to collect more information, as
this can still be interesting.