Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 11-24-2010, 02:02 PM   #1
LQ Newbie
Registered: Jun 2010
Posts: 3

Rep: Reputation: 0
Files sizes and checksums changed, but not time stamps?

For the second time in a week, I have set up an unmanaged CentOS 5.5 Storm Server at StormOnDemand, only to discover a ton of unauthorized changes to binaries (updated file checksums and sizes) on the server shortly thereafter. The time stamps do NOT change.

If the time stamps did change, I would be hunting down a cron job that was doing some auto-updates. But the time stamps are not changing.

This leads me to believe that either these servers are suffering from:

1. A virus or hacker is compromising the box.

2. File system corruption.

3. Something else?

To eliminate the possibility of number 1, I toasted the first server and started over with a new server and enabled their firewall from the start to only allow access for two IPs via SSH... my IP and my biz partner's.

Then, one of the first things we installed was a system we created that maintains a snapshot of most directories on the system so that it can be used to watch the live directories for changes.

At 4:07am (server time) this morning, we received notice from this system that a massive number of files had changed in these directories. Again, no file time stamps changed.

So, my question is this... is there any legitimate reason in a fairly standard CentOS 5.5 install that would cause so many files to change?


Old 11-24-2010, 03:16 PM   #2
LQ Newbie
Registered: Jun 2010
Posts: 3

Original Poster
Rep: Reputation: 0
[SOLVED] Files sizes and checksums changed, but not time stamps? Reply to Thread

Ok, solved my own problem. It was prelink:

I did the md5 check as recommended by comparing the changed files this way:

md5sum /bin/some-file


prelink -y --md5 /bin/some-file

...and the md5 checksums (minus the prelink changes) are actually exactly the same.

Hope this helps save somebody else some time. :-)

Old 11-24-2010, 03:27 PM   #3
LQ Newbie
Registered: Jun 2010
Posts: 3

Original Poster
Rep: Reputation: 0
One other detail here I forgot to mention. prelink runs daily from cron on a standard CentOS install. See:



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Time Stamps for command history? WingnutOne Linux - Newbie 3 09-11-2007 08:53 AM
Time stamps following move to British Summer Time aikempshall Linux - General 2 03-30-2007 08:30 AM
Time Stamps Duplication indiancosmonaut Solaris / OpenSolaris 4 02-28-2007 10:30 AM
Samba time-stamps files incorectly k41184 Linux - Software 1 10-02-2005 08:24 AM
8.1 checksums changed? Sky Slackware 8 06-22-2002 04:09 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:17 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration