[CentOS] Changed md5sums on a bare-bones install. Logical explanation?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I'm new to this list, so feel free to update me on any rules
that I seem not to be familiar with.

I'm looking at some strange behavior on a _very_ barebones
installation.  I'd like to get some feedback on possible
logical explanations.

* What I'm seeing:  The md5sum of all of my binaries in
/usr/bin and /usr/sbin are changing exactly one hour
after installation of CentOS-4.3.  The sizes of the files
are increased, with minor changes visible at the beginning
of the files, and a large chunk added to the end.  Other
files are also changing (under /usr/lib for example.  Tripwire,
if installed, goes *nuts*).

My first inclination is that this is a virus, but I have
installed this OS on a non-networked machine from what I
believe to be clean CDs.

* More information:
I downloaded the x86_64 installation ISOs from wuarchive.wustl.edu.
I checked md5sums and burned the ISO images to CD and then
checked the md5sums again.   I am assuming this to mean
that the CDs are OK.

I then installed the "Minimal" package from these CDs onto
a machine which was not connected to the network.  I
allowed the installer to reformat the partitions, and
generally used default options wherever possible.

I then rebooted the machine, and checked the md5sum
of an example program (/usr/sbin/lsof).  I set up a
script to log the md5sum of /usr/sbin/lsof every 1
minute and let it run overnight.  Exactly 1 hour after
the machine had come up, the md5sum of /usr/sbin/lsof
was now changed and the binary no longer matched a copy
I had made into root's home.

Virus checkers such as clamav and f-prot (with updated
databases) are negative.  These are launched from a
Helix Incident Response LiveCD.

I have repeated this experiment dozens of times now
with different options, settings, etc.  Always with
the same outcome.  I find it hard to believe there is
a virus on the CentOS-4.3 installation ISOs, but I'm
having trouble coming up with other explanations.

For starters, what is the md5sum of *your* /usr/sbin/lsof
(if you've installed x86_64)?  Any ideas on what is
going on here?  I can perform pretty much any experiments
you can think of on this machine.

Am I missing a way for a virus to survive a reformat
of the hard drive?

Thanks in advance for any help,
John Ziniti

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux