Single file changed: intrusion or corruption?

Michaël Witrant asked:

rkhunter reported a single file change on a virtual server (netstat binary). It didn’t report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before).

I’m wondering whether this is a file corruption or an intrusion. I guess an intrusion would have changed many other files watched by rkhunter (or none if the intruder had access to rkhunter’s database).

I disassembled both binaries with objdump -d and stored the diff here: https://gist.github.com/3972886

The full dump diff generated with objdump -s is here : https://gist.github.com/3972937

I guess a file corruption would have changed either large blocks or single bits, not small blocks like this.

Do these changes look suspicious? How could I investigate more?

The system is running Debian Squeeze.

My answer:


I spot checked a few of those, and they all appear to be single-bit errors. At this point I’d consider replacing the hard drive, using RAID/ZFS, etc.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.