[colug-432] Necropsy: Virus?

jep200404 at columbus.rr.com jep200404 at columbus.rr.com
Tue May 3 17:59:50 EDT 2011


What non-malicious reasons can there be for a new version of a 
program to have the same size and timestamp as an old version, 
yet have different md5sums? 

I'm studying a Centos 5.5 installation that would not finish 
booting. I have found programs in various bin directories 
that have the same timestamp and size but have different md5sums 
of corresponding files from the previous day's backup. 

For example: 

[root at localhost backup]# ll --full-time 201103*/bin/cp
-rwxr-xr-x 1 root root 71524 2010-02-28 17:33:21.000000000 -0500 20110322/bin/cp
-rwxr-xr-x 1 root root 71524 2010-02-28 17:33:21.000000000 -0500 20110324bad/bin/cp
[root at localhost backup]# md5sum 201103*/bin/cp
7a42e14fd7805134986b528f18e014c4  20110322/bin/cp
7e1f299db17bfaf3149f44d26c6ac61a  20110324bad/bin/cp
[root at localhost backup]# ll --full-time 201103*/bin/rpm
-rwxr-xr-x 1 root root 89536 2010-09-08 11:11:07.000000000 -0400 20110322/bin/rpm
-rwxr-xr-x 1 root root 89536 2010-09-08 11:11:07.000000000 -0400 20110324bad/bin/rpm
[root at localhost backup]# md5sum 201103*/bin/rpm
a73ab9bb821b754f540c132bfcbfc2bb  20110322/bin/rpm
dadec05cec786f40a1ebf6bf2924c88e  20110324bad/bin/rpm
[root at localhost backup]# 



More information about the colug-432 mailing list