Does Prelink Change File Sizes? - Mandriva

This is a discussion on Does Prelink Change File Sizes? - Mandriva ; As mentioned earlier, I have started playing with prelink. This Sunday morning, when the system ran its weekly checks, it found that the md5sum had changed for SUID files: /bin/mount /bin/ping /bin/su /bin/umount /sbin/mount.nfs /usr/bin/Xwrapper /usr/bin/at /usr/bin/cdrdao /usr/bin/chage /usr/bin/chfn /usr/bin/chsh ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Does Prelink Change File Sizes?

  1. Does Prelink Change File Sizes?


    As mentioned earlier, I have started playing with
    prelink. This Sunday morning, when the system ran
    its weekly checks, it found that the md5sum had
    changed for SUID files:

    /bin/mount
    /bin/ping
    /bin/su
    /bin/umount
    /sbin/mount.nfs
    /usr/bin/Xwrapper
    /usr/bin/at
    /usr/bin/cdrdao
    /usr/bin/chage
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/cpufreq-selector$
    /usr/bin/crontab
    /usr/bin/expiry
    /usr/bin/gpasswd
    /usr/bin/gpg
    /usr/bin/gpgsm
    /usr/bin/lbp660
    /usr/bin/lppasswd
    /usr/bin/ml85p
    /usr/bin/mtink
    /usr/bin/newgrp
    /usr/bin/passwd
    /usr/bin/ping6
    /usr/bin/procmail
    /usr/bin/sperl5.8.8
    /usr/bin/sudo
    /usr/bin/sudoedit
    /usr/bin/ttink
    /usr/bin/vmware-ping
    /usr/lib64/ssh/ssh-keysign
    /usr/lib64/xorg/bin/Xgl-wrapper
    /usr/sbin/mount.davfs2
    /usr/sbin/traceroute
    /usr/sbin/traceroute6
    /usr/sbin/userhelper
    /usr/sbin/vmware-authd

    I compared byte sizes of these files with
    byte sizes of files in a backup, and file sizes
    are significantly larger. Oddly, the date-time
    stamp is unchanged.

    My assumption is that prelink is responsible,
    but if not my system has been cracked. Can
    anyone confirm that this is prelink at work?

    Cheers!

    jim b.

    --
    UNIX is not user-unfriendly; it merely
    expects users to be computer-friendly.

  2. Re: Does Prelink Change File Sizes?

    Jim Beard writes:


    >As mentioned earlier, I have started playing with
    >prelink. This Sunday morning, when the system ran
    >its weekly checks, it found that the md5sum had
    >changed for SUID files:


    From the prelink package

    "The prelink package contains a utility which modifies ELF shared libraries
    and executables, so that far less relocations need to be resolved at
    runtime
    and thus programs come up faster."

    Note. It MODIFIES. Changes. And any change, even one bit change, to a file
    will change its MD5 sum.

    Now you may also have been hacked. There is no evidence for or against
    that.
    But hackers usually do not change things like cdrdao.




    >/bin/mount
    >/bin/ping
    >/bin/su
    >/bin/umount
    >/sbin/mount.nfs
    >/usr/bin/Xwrapper
    >/usr/bin/at
    >/usr/bin/cdrdao
    >/usr/bin/chage
    >/usr/bin/chfn
    >/usr/bin/chsh
    >/usr/bin/cpufreq-selector$
    >/usr/bin/crontab
    >/usr/bin/expiry
    >/usr/bin/gpasswd
    >/usr/bin/gpg
    >/usr/bin/gpgsm
    >/usr/bin/lbp660
    >/usr/bin/lppasswd
    >/usr/bin/ml85p
    >/usr/bin/mtink
    >/usr/bin/newgrp
    >/usr/bin/passwd
    >/usr/bin/ping6
    >/usr/bin/procmail
    >/usr/bin/sperl5.8.8
    >/usr/bin/sudo
    >/usr/bin/sudoedit
    >/usr/bin/ttink
    >/usr/bin/vmware-ping
    >/usr/lib64/ssh/ssh-keysign
    >/usr/lib64/xorg/bin/Xgl-wrapper
    >/usr/sbin/mount.davfs2
    >/usr/sbin/traceroute
    >/usr/sbin/traceroute6
    >/usr/sbin/userhelper
    >/usr/sbin/vmware-authd


    >I compared byte sizes of these files with
    >byte sizes of files in a backup, and file sizes
    >are significantly larger. Oddly, the date-time
    >stamp is unchanged.


    >My assumption is that prelink is responsible,
    >but if not my system has been cracked. Can
    >anyone confirm that this is prelink at work?


    >Cheers!


    >jim b.


    >--
    >UNIX is not user-unfriendly; it merely
    > expects users to be computer-friendly.


  3. Re: Does Prelink Change File Sizes?

    On Sun, 13 Jan 2008 22:36:32 -0500, Jim Beard wrote:

    > As mentioned earlier, I have started playing with
    > prelink. This Sunday morning, when the system ran
    > its weekly checks, it found that the md5sum had
    > changed for SUID files:


    aide does change the files, so the md5sum should be different.

    aide runs before prelink. I added an aide update after prelink, so the
    changes caused by prelink, will be ignored, on the next aide check.

    See http://groups.google.com/group/alt.o...55c9b8b07d2dc?

    Regards, Dave Hodgins

    --
    Change nomail.afraid.org to ody.ca to reply by email.
    (nomail.afraid.org has been set up specifically for
    use in usenet. Feel free to use it yourself.)

  4. Re: Does Prelink Change File Sizes?

    David W. Hodgins wrote:
    > On Sun, 13 Jan 2008 22:36:32 -0500, Jim Beard wrote:
    >
    >> As mentioned earlier, I have started playing with
    >> prelink. This Sunday morning, when the system ran
    >> its weekly checks, it found that the md5sum had
    >> changed for SUID files:

    >
    > aide does change the files, so the md5sum should be different.
    >
    > aide runs before prelink. I added an aide update after prelink, so the
    > changes caused by prelink, will be ignored, on the next aide check.
    >
    > See http://groups.google.com/group/alt.o...55c9b8b07d2dc?


    Yes, but I do not run aide. I tinker with system things
    too often too casually and tripwire and aide would simply
    require too much time going over what I had done or be
    worthless as I would not discern nastiness if it occurred,
    due to the noise from tinkering.

    I do have a firewall at the router where my internet connection
    comes into the house, and I do have shorewall running with
    pretty much everything blocked off even to other computers in
    the house. And there is nothing on the computer that would
    worry me or embarass me if someone grabbed it and published
    it for the world to see.

    Cracking my system would yield a few e-mail addresses, and
    genealogical details on a few living persons who would prefer
    the details not be disclosed, but that is about the sum of
    it.

    My only real concern re security is the possibility that
    a cracker could assume ownership of my machine and use it
    for nefarious purpose. But I think that would be more trouble
    than it would be worth, even given my limited access controls.

    I think msec must check for changes in SUID files, which is
    where messages probably got its list. As Unruh mentioned,
    the files listed are not the ones I would expect a cracker
    to go after, by and large. And yes, I read that prelink would
    modify executables, but the difference in size was great
    enough that I decided to be cautious and ask.

    Cheers

    jim b.

    --
    UNIX is not user-unfriendly; it merely
    expects users to be computer-friendly.

+ Reply to Thread