Hi there, I have a couple of suse 7.2 systems, on one of them # rpm -V glibc ..5..... /lib/ld-2.2.2.so # md5sum /lib/ld-2.2.2.so 36e9320d606f456f84951ba510209fc0 /lib/ld-2.2.2.so as opposed to 1312001a7eb2ccb4b666fe9f0775b932 /lib/ld-2.2.2.so as should be. this is glibc-2.2.2-38, and I wonder how this can happen. this one is almost always 'busy', so who or what could have changed it? one other shared libs related effect I have right now is that from one moment to the other our coldfusion server won't restart. it complains about unresolved symbols. any Idea? Thanks You, Lars
Hi there,
I have a couple of suse 7.2 systems, on one of them # rpm -V glibc ..5..... /lib/ld-2.2.2.so # md5sum /lib/ld-2.2.2.so 36e9320d606f456f84951ba510209fc0 /lib/ld-2.2.2.so as opposed to 1312001a7eb2ccb4b666fe9f0775b932 /lib/ld-2.2.2.so as should be.
Correct.
this is glibc-2.2.2-38, and I wonder how this can happen. this one is almost always 'busy', so who or what could have changed it?
one other shared libs related effect I have right now is that from one moment to the other our coldfusion server won't restart. it complains about unresolved symbols.
any Idea?
filesystem corruption? Make a hexdump of the two files and compare them. If you see defects that seem to be block-aligned, then this suggests a fs corruption. What kind of filesystem are you using? Which kernel version? It could of course be a result of an intrusion, yes. But you don't provide any more indication that this is the case...
Thanks You,
Lars
Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
On Fri, Sep 07, 2001 at 10:27:41PM +0200, Roman Drahtmueller wrote: [...]
filesystem corruption? Make a hexdump of the two files and compare them. If you see defects that seem to be block-aligned, then this suggests a fs corruption. What kind of filesystem are you using? Which kernel version?
# uname -a Linux epsilon 2.4.4-4GB #1 Wed May 16 00:37:55 GMT 2001 i686 unknown # mount /dev/hda2 on / type ext2 (rw)
It could of course be a result of an intrusion, yes. But you don't provide any more indication that this is the case...
don't think so. this is behind a firewall, no users, no access, not even yet finished with setup of machine. the only service is apache, who is up and running without complaints, denies all queries excep to one dedicatet region where the coldfusion server should take over. allas, yes, this one did several core dumps and is (was) running as root. but it looks more like an internal problem. I mean the querries which obviously caused the seg fault where issued during the testing by ourselves. But just in case, ther should be more changed files, some ports open or sort of r00tkit... I'm not sure whether I know it when I see it, but there are no other complaints from seccheck so far. Not running tripwire or the like. (not yet.) === [ quoted from an other posting Martin Leweling <lewelin@uni-muenster.de> ]
Hmm, since file size and modification time seem to be ok I could imagine it's a bad block on your hard disk. On the other hand, I don't know if md5sum would complain on an I/O error or simply take what it can read an dump the checksum of that. did od -t x1 ld-2.2.2.so > *.hexdump and diff *.hexdump: --- ld-2.2.2.so.hexdump Sat Sep 8 11:55:38 2001 +++ ld-2.2.2.so.orig.hexdump Sat Sep 8 11:55:50 2001 @@ -2054,7 +2054,7 @@ 0100240 8b 83 dc 00 00 00 89 75 dc 8b 38 85 ff 74 2d 31 0100260 f6 c7 45 bc 00 00 00 00 83 c4 f8 8b 45 bc 03 83 0100300 d8 00 00 00 50 57 e8 d5 8c 00 00 83 c4 10 85 c0 -0100320 74 9e 83 45 bc 05 46 83 fe 03 7e dc 38 ff ff ff +0100320 74 9e 83 45 bc 05 46 83 fe 03 7e dc b8 ff ff ff 0100340 ff 89 45 d4 c1 f8 1f 89 45 d8 83 7d d4 ff 75 06 0100360 83 7d d8 ff 74 1e 8a 4d d4 b8 01 00 00 00 31 d2 0100400 0f a5 c2 d3 e0 f6 c1 20 74 04 89 c2 31 c0 89 45 ^ in case you did not spot it: there is just one bitflip.
You could run strings on both files and diff the output, or use cmp. Also check whether you get I/O errors when copying the file with dd to another place (see /var/log/warn).
no problem with this one.
At least your coldfusion restart problem could be explained by a damaged library.
by just one bitflip? why do all the other shared libs run, then? === ok, so all there is to it: go in single user or boot from rescue system and replace? is there any tool for checking this kind of problem? tripwire all system files? Thank you, Lars
replying to myself... I found some more bitflips. shitishit. two in /sbin/init, one in /lib/librt.so.1 (which eventually flopped back) and so on. system still up, but... there are no kernel messages about it. is this a driver problem, hardware problem, settings problem? some way to resolve it? is there a point in using scsi to avoid such flaws? Thank you... and when this becomes OT, just point me to an other list please. Lars === some more information: from dmesg: Uniform Multi-Platform E-IDE driver Revision: 6.31 ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx VP_IDE: IDE controller on PCI bus 00 dev 39 VP_IDE: chipset revision 6 VP_IDE: not 100% native mode: will probe irqs later ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx VP_IDE: VIA vt82c686b (rev 40) IDE UDMA100 controller on pci00:07.1 ide0: BM-DMA at 0xd000-0xd007, BIOS settings: hda:DMA, hdb:pio ide1: BM-DMA at 0xd008-0xd00f, BIOS settings: hdc:pio, hdd:pio hda: IBM-DTLA-305040, ATA DISK drive ide0 at 0x1f0-0x1f7,0x3f6 on irq 14 hda: 80418240 sectors (41174 MB) w/380KiB Cache, CHS=5005/255/63 # hdparm /dev/hda /dev/hda: multcount = 16 (on) I/O support = 1 (32-bit) unmaskirq = 1 (on) using_dma = 0 (off) keepsettings = 0 (off) nowerr = 0 (off) readonly = 0 (off) readahead = 8 (on) geometry = 5005/255/63, sectors = 80418240, start = 0 # hdparm -i /dev/hda /dev/hda: Model=IBM-DTLA-305040, FwRev=TW4OA68A, SerialNo=YJEYJ1Z6276 Config={ HardSect NotMFM HdSw>15uSec Fixed DTR>10Mbs } RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=40 BuffType=DualPortCache, BuffSize=380kB, MaxMultSect=16, MultSect=16 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=80418240 IORDY=on/off, tPIO={min:240,w/IORDY:120}, tDMA={min:120,rec:120} PIO modes: pio0 pio1 pio2 pio3 pio4 DMA modes: mdma0 mdma1 mdma2 udma0 udma1 *udma2 udma3 udma4 udma5 Drive Supports : Reserved : ATA-2 ATA-3 ATA-4 ATA-5 Kernel Drive Geometry LogicalCHS=5005/255/63 PhysicalCHS=79780/16/63
Hi Lars, On 2001.09.08 11:49:09 +0100 lars@newsone.org wrote:
replying to myself... I found some more bitflips. shitishit. two in /sbin/init, one in /lib/librt.so.1 (which eventually flopped back) and so on. system still up, but...
<SNIP>
Thank you... and when this becomes OT, just point me to an other list please.
Lars
IMHO, if a shared lib is changing, you have a problem - and it is definately very *on topic* - surely security is about keeping your boxes dependable - and files which have unexpected bit-flips and flops is going to make a box very *undependable* sooner or later :-( Sorry I can't offer any useful advice :-( but I am inerested in this discussion and it's causes (and cure!) Maf -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, On Friday 07 September 2001 21:43, lars@newsone.org wrote:
I have a couple of suse 7.2 systems, on one of them # rpm -V glibc ..5..... /lib/ld-2.2.2.so # md5sum /lib/ld-2.2.2.so 36e9320d606f456f84951ba510209fc0 /lib/ld-2.2.2.so as opposed to 1312001a7eb2ccb4b666fe9f0775b932 /lib/ld-2.2.2.so as should be.
this is glibc-2.2.2-38, and I wonder how this can happen. this one is almost always 'busy', so who or what could have changed it?
one other shared libs related effect I have right now is that from one moment to the other our coldfusion server won't restart. it complains about unresolved symbols.
any Idea?
Hmm, since file size and modification time seem to be ok I could imagine it's a bad block on your hard disk. On the other hand, I don't know if md5sum would complain on an I/O error or simply take what it can read an dump the checksum of that. You could run strings on both files and diff the output, or use cmp. Also check whether you get I/O errors when copying the file with dd to another place (see /var/log/warn). At least your coldfusion restart problem could be explained by a damaged library. Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
participants (4)
-
lars@newsone.org -
maf king -
Martin Leweling -
Roman Drahtmueller