Hello, During an incident, we discovered that some Linux binaries (ls, ps, etc.) are changing in size and md5sum over time, even on a fresh install. This was noticed on a fresh clean install of Redhat Enterprise 4, but other systems could be affected as well.
At first we suspected malicious activity, but then identified the culprit: RedHat uses prelink http://linuxcommand.org/man_pages/prelink8.html to speed up loading of binaries and shared libraries. >From the man page prelink is a program which modifies ELF shared libraries and ELF dynam- ically linked binaries, so that the time which dynamic linker needs for their relocation at startup significantly decreases and also due to fewer relocations the run-time memory consumption decreases too (espe- cially number of unshareable pages). Such prelinking information is only used if all its dependant libraries have not changed since pre- linking, otherwise programs are relocated normally. prelink is called from a cron-job in /etc/cron.daily/prelink. So whenever someone updates libraries or programs, there is a good chance that all the programs and libraries configured in /etc/prelink.conf are touched and changed within the next 24 hours. After finishing the cron-job, telinit is called and restarts init without rereading the inittab. This leaves an entry in the system logfiles like /var/log/messages. >From a forensic point of view, this makes it harder to use pre-compiled hashsets to identify well known binaries and distinguish them from binaries altered by malicious activity since the file changes every time a library is changed. Prelink activity also changes timestamps (access time, modification time, but not creation time) on the files as well. At least on Redhat Enterprise, prelink activity is recorded in /var/log/prelink. It should be possible to reconstruct a timeline using the timestamp of this file and the protocol, but there is still some uncertainty. Regards Martin Pfeilsticker -- Martin Pfeilsticker Information Security Manager COLT Telecommunications [EMAIL PROTECTED] ************************************************************************************* The message is intended for the named addressee only and may not be disclosed to or used by anyone else, nor may it be copied in any way. The contents of this message and its attachments are confidential and may also be subject to legal privilege. If you are not the named addressee and/or have received this message in error, please advise us by e-mailing [EMAIL PROTECTED] and delete the message and any attachments without retaining any copies. Internet communications are not secure and COLT does not accept responsibility for this message, its contents nor responsibility for any viruses. No contracts can be created or varied on behalf of COLT Telecommunications, its subsidiaries or affiliates ("COLT") and any other party by email Communications unless expressly agreed in writing with such other party. Please note that incoming emails will be automatically scanned to eliminate potential viruses and unsolicited promotional emails. For more information refer to www.colt.net or contact us on +44(0)20 7390 3900.
