On Fri, Sep 07, 2001 at 10:27:41PM +0200, Roman Drahtmueller wrote: [...]
filesystem corruption? Make a hexdump of the two files and compare them. If you see defects that seem to be block-aligned, then this suggests a fs corruption. What kind of filesystem are you using? Which kernel version?
# uname -a Linux epsilon 2.4.4-4GB #1 Wed May 16 00:37:55 GMT 2001 i686 unknown # mount /dev/hda2 on / type ext2 (rw)
It could of course be a result of an intrusion, yes. But you don't provide any more indication that this is the case...
don't think so. this is behind a firewall, no users, no access, not even yet
finished with setup of machine. the only service is apache, who is
up and running without complaints, denies all queries excep to one
dedicatet region where the coldfusion server should take over. allas,
yes, this one did several core dumps and is (was) running as root. but
it looks more like an internal problem. I mean the querries which obviously
caused the seg fault where issued during the testing by ourselves.
But just in case, ther should be more changed files, some ports open or sort of
r00tkit... I'm not sure whether I know it when I see it, but there are no
other complaints from seccheck so far. Not running tripwire or the like. (not
yet.)
===
[ quoted from an other posting Martin Leweling
Hmm, since file size and modification time seem to be ok I could imagine it's a bad block on your hard disk. On the other hand, I don't know if md5sum would complain on an I/O error or simply take what it can read an dump the checksum of that. did od -t x1 ld-2.2.2.so > *.hexdump and diff *.hexdump: --- ld-2.2.2.so.hexdump Sat Sep 8 11:55:38 2001 +++ ld-2.2.2.so.orig.hexdump Sat Sep 8 11:55:50 2001 @@ -2054,7 +2054,7 @@ 0100240 8b 83 dc 00 00 00 89 75 dc 8b 38 85 ff 74 2d 31 0100260 f6 c7 45 bc 00 00 00 00 83 c4 f8 8b 45 bc 03 83 0100300 d8 00 00 00 50 57 e8 d5 8c 00 00 83 c4 10 85 c0 -0100320 74 9e 83 45 bc 05 46 83 fe 03 7e dc 38 ff ff ff +0100320 74 9e 83 45 bc 05 46 83 fe 03 7e dc b8 ff ff ff 0100340 ff 89 45 d4 c1 f8 1f 89 45 d8 83 7d d4 ff 75 06 0100360 83 7d d8 ff 74 1e 8a 4d d4 b8 01 00 00 00 31 d2 0100400 0f a5 c2 d3 e0 f6 c1 20 74 04 89 c2 31 c0 89 45 ^ in case you did not spot it: there is just one bitflip.
You could run strings on both files and diff the output, or use cmp. Also check whether you get I/O errors when copying the file with dd to another place (see /var/log/warn).
no problem with this one.
At least your coldfusion restart problem could be explained by a damaged library.
by just one bitflip? why do all the other shared libs run, then? === ok, so all there is to it: go in single user or boot from rescue system and replace? is there any tool for checking this kind of problem? tripwire all system files? Thank you, Lars