[colug-432] Necropsy: Virus?

[Jeff Frontz]

Timestamps and all sorts of other non-functional things are embedded
in various segments.  You can use objdump to see if the parts that
matter (.bss, .data, .rodata and code -- the last via -d) have
actually changed.

Also, even if "ls" says the files are the same size, things may have
been rounded up to some nice round value; a better quick check is to
use "size" to see if the important parts have actually changed size.

Jeff




On Tue, May 3, 2011 at 5:59 PM,  <jep200404 at columbus.rr.com> wrote:
> What non-malicious reasons can there be for a new version of a
> program to have the same size and timestamp as an old version,
> yet have different md5sums?
>
> I'm studying a Centos 5.5 installation that would not finish
> booting. I have found programs in various bin directories
> that have the same timestamp and size but have different md5sums
> of corresponding files from the previous day's backup.
>
> For example:
>
> [root at localhost backup]# ll --full-time 201103*/bin/cp
> -rwxr-xr-x 1 root root 71524 2010-02-28 17:33:21.000000000 -0500 20110322/bin/cp
> -rwxr-xr-x 1 root root 71524 2010-02-28 17:33:21.000000000 -0500 20110324bad/bin/cp
> [root at localhost backup]# md5sum 201103*/bin/cp
> 7a42e14fd7805134986b528f18e014c4  20110322/bin/cp
> 7e1f299db17bfaf3149f44d26c6ac61a  20110324bad/bin/cp
> [root at localhost backup]# ll --full-time 201103*/bin/rpm
> -rwxr-xr-x 1 root root 89536 2010-09-08 11:11:07.000000000 -0400 20110322/bin/rpm
> -rwxr-xr-x 1 root root 89536 2010-09-08 11:11:07.000000000 -0400 20110324bad/bin/rpm
> [root at localhost backup]# md5sum 201103*/bin/rpm
> a73ab9bb821b754f540c132bfcbfc2bb  20110322/bin/rpm
> dadec05cec786f40a1ebf6bf2924c88e  20110324bad/bin/rpm
> [root at localhost backup]#
>
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>