Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For the second time in a week, my tripwire has found many signifigant differences in one of our servers:
Code:
Parsing policy file: /etc/tripwire/tw.pol
*** Processing Unix File System ***
Performing integrity check...
Wrote report file: /var/lib/tripwire/report/server.domain.com-20050810-000502.twr
Tripwire(R) 2.3.0 Integrity Check Report
Report generated by: root
Report created on: Wed Aug 10 00:05:02 2005
Database last updated on: Mon Aug 8 13:02:33 2005
===============================================================================
Report Summary:
===============================================================================
Host name: server.domain.com
Host IP address: 127.0.0.1
Host ID: None
Policy file used: /etc/tripwire/tw.pol
Configuration file used: /etc/tripwire/tw.cfg
Database file used: /var/lib/tripwire/server.domain.com.twd
Command line used: /usr/sbin/tripwire --check
===============================================================================
Rule Summary:
===============================================================================
-------------------------------------------------------------------------------
Section: Unix File System
-------------------------------------------------------------------------------
Rule Name Severity Level Added Removed Modified
--------- -------------- ----- ------- --------
Invariant Directories 66 0 0 0
Temporary directories 33 0 0 0
Tripwire Data Files 100 0 0 0
Critical devices 100 0 0 0
* User binaries 66 0 0 134
* Tripwire Binaries 100 0 0 4
* Libraries 66 0 0 15
* Shell Binaries 100 0 0 1
* File System and Disk Administraton Programs
100 0 0 6
* Kernel Administration Programs 100 0 0 2
Networking Programs 100 0 0 0
* System Administration Programs 100 0 0 2
* Hardware and Device Control Programs
100 0 0 2
System Information Programs 100 0 0 0
Application Information Programs
100 0 0 0
Shell Releated Programs 100 0 0 0
(/sbin/getkey)
Critical Utility Sym-Links 100 0 0 0
Critical system boot files 100 0 0 0
* Security Control 100 0 0 2
System boot changes 100 0 0 0
* OS executables and libraries 100 0 0 6
Login Scripts 100 0 0 0
Critical configuration files 100 0 0 0
* User Applications 66 0 0 1
* Operating System Utilities 100 0 0 7
* Root config files 100 1 0 3
Total objects scanned: 46967
Total violations found: 186
===============================================================================
Object Summary:
===============================================================================
-------------------------------------------------------------------------------
# Section: Unix File System
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/sbin"
"/usr/sbin/callback"
"/usr/sbin/diskdumpctl_proc"
"/usr/sbin/diskdumpfmt"
"/usr/sbin/iptstate"
"/usr/sbin/plainrsa-gen"
"/usr/sbin/racoon"
"/usr/sbin/rdev"
"/usr/sbin/readprofile"
"/usr/sbin/rpc.gssd"
"/usr/sbin/rpc.idmapd"
"/usr/sbin/sasl2-static-mechlist"
"/usr/sbin/saslauthd"
"/usr/sbin/savecore"
"/usr/sbin/sshd"
"/usr/sbin/stunnel"
"/usr/sbin/tunelp"
"/usr/sbin/vipw"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/siggen)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/siggen"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/tripwire)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/tripwire"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twadmin)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/twadmin"
-------------------------------------------------------------------------------
Rule Name: Tripwire Binaries (/usr/sbin/twprint)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/sbin/twprint"
-------------------------------------------------------------------------------
Rule Name: Libraries (/usr/lib)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/lib"
"/usr/lib/autofs"
"/usr/lib/autofs/autofs-ldap-auto-master"
"/usr/lib/libaspell.so.15.0.3"
"/usr/lib/libdes425.so.3.0"
"/usr/lib/libgssapi_krb5.so.2.2"
"/usr/lib/libk5crypto.so.3.0"
"/usr/lib/libkrb4.so.2.0"
"/usr/lib/libkrb5.so.3.2"
"/usr/lib/libldap-2.2.so.7.0.6"
"/usr/lib/libstdc++.so.6.0.3"
"/usr/lib/libwvstreams.so.3.75"
"/usr/lib/libwvutils.so.3.75"
"/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE"
"/usr/lib/perl5/5.8.5/i386-linux-thread-multi/CORE/libperl.so"
-------------------------------------------------------------------------------
Rule Name: User binaries (/usr/bin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/usr/bin"
"/usr/bin/a2p"
"/usr/bin/addftinfo"
"/usr/bin/aspell"
"/usr/bin/c++"
"/usr/bin/c++filt"
"/usr/bin/cal"
"/usr/bin/chfn"
"/usr/bin/chsh"
"/usr/bin/col"
"/usr/bin/colcrt"
"/usr/bin/colrm"
"/usr/bin/column"
"/usr/bin/cpp"
"/usr/bin/crontab"
"/usr/bin/cvs"
"/usr/bin/cytune"
"/usr/bin/ddate"
"/usr/bin/doxygen"
"/usr/bin/doxytag"
"/usr/bin/eqn"
"/usr/bin/fdformat"
"/usr/bin/floppy"
"/usr/bin/free"
"/usr/bin/g++"
"/usr/bin/g77"
"/usr/bin/gcc"
"/usr/bin/gcov"
"/usr/bin/getopt"
"/usr/bin/grn"
"/usr/bin/grodvi"
"/usr/bin/groff"
"/usr/bin/grolbp"
"/usr/bin/grolj4"
"/usr/bin/grops"
"/usr/bin/grotty"
"/usr/bin/hexdump"
"/usr/bin/hpftodit"
"/usr/bin/i386-redhat-linux-c++"
"/usr/bin/i386-redhat-linux-g++"
"/usr/bin/i386-redhat-linux-gcc"
"/usr/bin/indxbib"
"/usr/bin/ipcrm"
"/usr/bin/ipcs"
"/usr/bin/isosize"
"/usr/bin/lftp"
"/usr/bin/lkbib"
"/usr/bin/logger"
"/usr/bin/look"
"/usr/bin/lookbib"
"/usr/bin/lynx"
"/usr/bin/mcookie"
"/usr/bin/namei"
"/usr/bin/newgrp"
"/usr/bin/perl"
"/usr/bin/perl5.8.5"
"/usr/bin/pfbtops"
"/usr/bin/pgrep"
"/usr/bin/pic"
"/usr/bin/pkill"
"/usr/bin/pmap"
"/usr/bin/post-grohtml"
"/usr/bin/pre-grohtml"
"/usr/bin/protoize"
"/usr/bin/refer"
"/usr/bin/rename"
"/usr/bin/renice"
"/usr/bin/rev"
"/usr/bin/scp"
"/usr/bin/script"
"/usr/bin/setfdprm"
"/usr/bin/setsid"
"/usr/bin/setterm"
"/usr/bin/sftp"
"/usr/bin/skill"
"/usr/bin/slabtop"
"/usr/bin/snice"
"/usr/bin/soelim"
"/usr/bin/ssh"
"/usr/bin/ssh-add"
"/usr/bin/ssh-agent"
"/usr/bin/ssh-keygen"
"/usr/bin/ssh-keyscan"
"/usr/bin/swig"
"/usr/bin/tailf"
"/usr/bin/tbl"
"/usr/bin/tfmtodit"
"/usr/bin/tload"
"/usr/bin/top"
"/usr/bin/troff"
"/usr/bin/ul"
"/usr/bin/unprotoize"
"/usr/bin/uptime"
"/usr/bin/vim"
"/usr/bin/vmstat"
"/usr/bin/w"
"/usr/bin/watch"
"/usr/bin/wget"
"/usr/bin/whereis"
"/usr/bin/write"
"/usr/bin/wvdial"
"/usr/bin/wvdialconf"
-------------------------------------------------------------------------------
Rule Name: Shell Binaries (/usr/libexec/sftp-server)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/usr/libexec/sftp-server"
-------------------------------------------------------------------------------
Rule Name: User binaries (/sbin)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/sbin"
"/sbin/addpart"
"/sbin/agetty"
"/sbin/blockdev"
"/sbin/delpart"
"/sbin/dhcp6c"
"/sbin/elvtune"
"/sbin/fsck.cramfs"
"/sbin/grubby"
"/sbin/mgetty"
"/sbin/mkfs.cramfs"
"/sbin/nologin"
"/sbin/partx"
"/sbin/pivot_root"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/fdisk)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/fdisk"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/mkfs)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/mkfs"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/mkswap)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/mkswap"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/sbin/sfdisk)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/sfdisk"
-------------------------------------------------------------------------------
Rule Name: Kernel Administration Programs (/sbin/ctrlaltdel)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/ctrlaltdel"
-------------------------------------------------------------------------------
Rule Name: Kernel Administration Programs (/sbin/sysctl)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/sysctl"
-------------------------------------------------------------------------------
Rule Name: System Administration Programs (/sbin/rescuept)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/rescuept"
-------------------------------------------------------------------------------
Rule Name: System Administration Programs (/sbin/swapon)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/swapon"
-------------------------------------------------------------------------------
Rule Name: Hardware and Device Control Programs (/sbin/hwclock)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/hwclock"
-------------------------------------------------------------------------------
Rule Name: Hardware and Device Control Programs (/sbin/losetup)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/sbin/losetup"
-------------------------------------------------------------------------------
Rule Name: Security Control (/var/spool/cron)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/var/spool/cron"
"/var/spool/cron/sbrown"
-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/lib)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/lib"
"/lib/libcrypto.so.0.9.7a"
"/lib/libgcc_s-3.4.4-20050721.so.1"
"/lib/libproc-3.2.3.so"
"/lib/libssl.so.0.9.7a"
-------------------------------------------------------------------------------
Rule Name: User Applications (/home/php/a3d/lib.php)
Severity Level: 66
-------------------------------------------------------------------------------
Modified:
"/home/php/a3d/lib.php"
-------------------------------------------------------------------------------
Rule Name: OS executables and libraries (/bin)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/bin/mount)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/mount"
-------------------------------------------------------------------------------
Rule Name: File System and Disk Administraton Programs (/bin/umount)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/umount"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/arch)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/arch"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/dmesg)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/dmesg"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/kill)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/kill"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/login)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/login"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/more)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/more"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/ps)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/ps"
-------------------------------------------------------------------------------
Rule Name: Operating System Utilities (/bin/tar)
Severity Level: 100
-------------------------------------------------------------------------------
Modified:
"/bin/tar"
-------------------------------------------------------------------------------
Rule Name: Root config files (/root)
Severity Level: 100
-------------------------------------------------------------------------------
Added:
"/root/.gnupg/.#lk0x80f8f60.server.domain.com.15824"
Modified:
"/root"
"/root/.gnupg"
"/root/.gnupg/random_seed"
===============================================================================
Error Report:
===============================================================================
No Errors
-------------------------------------------------------------------------------
*** End of report ***
Tripwire 2.3 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
for details use --version. This is free software which may be redistributed
or modified only under certain conditions; see COPYING for details.
All rights reserved.
Integrity check complete.
The thing is that I can't find any obvious signs of how they got in. The only services that are running are Apache 2.0.54 w/ SSL (OpenSSL 0.9.8), PHP 4.3.11, OpenSSH 4.1p1 and MySQL 4.1.11 (kernel = 2.6.11). Known issues with these versions only impact environments that aren't applicable here. I d/led a known good version of rkhunter and all the binary sigs checked out. No unusual entries on ~/.bash_history for root or local users. Nothing unusual in any tmp directories. Nothing unusual in the logs. No unusual logins. Obviously, I know this doesn't mean anything since a good one will cover his tracks, but I would really like to know WTF happened before I just nuke the thing.
Obviously, I will be doing more reading in this forum today, but quick tips are appreciated.
If the md5sums are the same, then it looks like just the file modification timestamps have changed. Double check md5sums against known good versions and take a look at file attributes of the modified files using the 'stat' command. Check to see if they've changed since your last tripwire db update. Btw, what distro and version are you using?
Last edited by Capt_Caveman; 08-10-2005 at 10:44 AM.
Originally posted by Capt_Caveman If the md5sums are the same, then it looks like just the file modification timestamps have changed.
md5's aren't the same according to tripwire. In fact, they have even changed since yesterday's tripwire report, which indicates to me that this guy has been back in the last 24 hours. On some files, inodes are different, CRCs, size, md5s, etc... But there are sitll no (obvious) signs of an RK or anything like that.
Quote:
Originally posted by Capt_Caveman Btw, what distro and version are you using?
FC3
I'm going through some of the CERT docs recommended in the security references thread and I'm not turning up anything. No other box on the network seems to be compromised (they are also monitored w/ tripwire), which is strange since all of our servers trust eachother w/ SSH keys (obviously, the trust of this box has been revoked on the others). No new services are running on this box (nmap'ed it from another server that hasn't been compromised). No odd SUID, SGID, or hidden files found. I am the only local user on this box. Starting to look like this guy is really good at covering his tracks...
All of the files that had a mod time changed were all changed at 4:02AM. I've had an issue before where yum updated some packages via cron and that took place @ 4:02AM (I've since disabled this automatic update). I've checked for unusual cron entries and didn't find anything there either.
Last edited by TruckStuff; 08-10-2005 at 11:36 AM.
Well I'm really stuck on this one. Nothing I've been reading gives me any indication as to how the attacker got in. I'm hesitant to simply reformat and reinstall for fear of creating the exact same environment and getting backdoored again. Any advice is appreciated.
Originally posted by thorn168 Does anyone else have physical access to this machine or any other network device on your network?
Are you using Cisco routers by chance?
Nope and Nope. SSH is locked down so that only I can log in, so no one got in there. Strong passwords have been used for myself and root. Just doesn't make any sense to me...
Does anyone have tripwire installed that wouldn't mind posting the md5sums of tripwire, twadmin, twprint and siggen?
I, for one, am not quite ready to brand this as a genuine report... a genuine intrusion. Tripwire is not fail-safe, and some of these 'modifications' make no sense. (Why would someone modify "mcookie," for instance?)
Do you happen to have a CD-ROM with a known-good copy of the material that's on your system? Or can you, from another system, make one? If so, you could boot from CD-ROM and do some comparisons .. taking care to use the cp command from the CD-ROM. You might also use it to copy the files to a removable disk if your CD happens to include the requisite drivers.
While such a Tripwire report properly demands to be explained, I'm not yet ready to jump to the conclusion that it's genuinely an intrusion. Others may dissent...?
Are you certain no updates took place? What do logfiles show for the times the files were (apparently) modified? I saw you run rkhunter, but have you tried chkrootkit?
I'm not sold yet either. The yum update times (4:02AM) seem coincidental and I did notice some of the odd files flagged by tripwire also.
Just to clarify, when you run tripwire in a verbose mode like:
(twprint -m r -t 4 -r /path/to/recent/tripwire-report.twr), it shows md5sum differences?
But a scan with rkhunter shows all files coming back clean?
And the /var/log/yum.log file shows no recent updates?
hwclock? dhcp6c? Most of the /usr/bin files... they all seem... rather unusable for security reason. You might try running "strings" on some of the supposedly-compromised binaries to see if there's anything notably suspicious in there.
What about the integrity of the tripwire database itself?
Is it signed? It's not supposed to be stored on your hard disk (not even the binaries).
I don't know, maybe the cracker tried to patch it and made a mess of it
On redhat systems, you may run "rpm -Va" to find any modified files installed with rpm
Have you run a program like statifier that converts dynamically linked programs into static ones, or upx to compress them, or any other program that may modify binaries?
Run file(1) on these
It's very strange to find a possibly cracked gcc and such list of libraries
One last possibility is some new & ultra-sophisticated Unix virus that install itself via kernel modules and infects all binaries loaded.
Anyway, you may setup the system to catch the cracker the next time while monitoring what's being done.
I'm running some more stuff today, but here is what I have answers to thus far:
Quote:
Tripwire is not fail-safe, and some of these 'modifications' make no sense. (Why would someone modify "mcookie," for instance?)
That was my first thought also. There aren't any seemingly "normal" files that have been modified in the event of an attack (e.g. ls, ps, etc...). Now, the fact that the tripwire binaries seem to have been modified could mean that they have been altered to ignore changes to those files, but as someone else pointed out, why would another (known-good) checker like rkhunter find these files OK?
Quote:
Do you happen to have a CD-ROM with a known-good copy of the material that's on your system?
Nope.
Quote:
Are you certain no updates took place? What do logfiles show for the times the files were (apparently) modified? I saw you run rkhunter, but have you tried chkrootkit?
/var/log/yum.log does not indicate any packages were updated. The only thing I can find in any logs during the times tripwire indicates are cron jobs, e.g.
Code:
Aug 9 04:00:01 server crond(pam_unix)[20461]: session opened for user me by (uid=0)
Aug 9 04:00:01 server crond(pam_unix)[20463]: session opened for user me by (uid=0)
Aug 9 04:00:01 server crond(pam_unix)[20465]: session opened for user root by (uid=0)
Aug 9 04:00:02 server crond(pam_unix)[20465]: session closed for user root
Aug 9 04:00:07 server crond(pam_unix)[20463]: session closed for user me
Aug 9 04:01:01 server crond(pam_unix)[20475]: session opened for user root by (uid=0)
Aug 9 04:01:01 server crond(pam_unix)[20475]: session closed for user root
Aug 9 04:02:01 server crond(pam_unix)[20477]: session opened for user root by (uid=0)
Aug 9 04:03:30 server crond(pam_unix)[20477]: session closed for user root
I also just dl'ed a good copy of chkrootkit and everything checked out there also.
Quote:
Originally posted by Capt_Caveman Just to clarify, when you run tripwire in a verbose mode like:
(twprint -m r -t 4 -r /path/to/recent/tripwire-report.twr), it shows md5sum differences?
But a scan with rkhunter shows all files coming back clean?
And the /var/log/yum.log file shows no recent updates?
Correct.
Quote:
You might try running "strings" on some of the supposedly-compromised binaries to see if there's anything notably suspicious in there.
Doing that now. I'm spot-checking a few binaries that tripwire thinks were modified to check for anything obvious. Will post if that finds anything.
Quote:
On redhat systems, you may run "rpm -Va" to find any modified files installed with rpm
It found some missing dependencies (all packges that I removed and replaced with the same package compiled from source). Some missing man pages, which I already knew about. Other than that, nothing significant to report there.
Quote:
Have you run a program like statifier that converts dynamically linked programs into static ones, or upx to compress them, or any other program that may modify binaries?
Nope.
Quote:
Anyway, you may setup the system to catch the cracker the next time while monitoring what's being done.
I also thought about leaving this server up as a "honeypot." I've been meaning to set up Snort on one of our other servers for a while now and haven't gotten around to it. My concerns with doing this are 1) Snort seems to me like something that takes a while to get setup correctly and I don't want to knee-jerk it and 2) This is a production server and all apps would have to be moved to another server which doesn't happen overnight.
Quote:
While such a Tripwire report properly demands to be explained, I'm not yet ready to jump to the conclusion that it's genuinely an intrusion.
And that's where I stand right now also.
Last edited by TruckStuff; 08-11-2005 at 09:25 AM.
If you have a spare desktop or anything like that, you could try installing a dedicated sniffer in front of this machine. Basically, you set up a computer with two NICs as an ethernet bridge (NOT forwarding), and then you could use ettercap/ethereal to see what goes on the line. Or better, log with tcpdump then analyze with ethereal later.
The only thing I can find in any logs during the times tripwire indicates are cron jobs, e.g.
What was the specific cron job run at that time? /var/log/cron should give you a listing. Assuming it's cron.daily or cron.hourly what are the various cron jobs that could be run at those times? (check /etc/cron.daily/ or /etc/cron.hourly/ for anything relevent)
Along the lines of Matirs string idea, it might be useful to compare the execution of one of the flagged binaries that's likely to be trojaned. For example, try running 'strace w' on that system and another and compare the output. It won't be identical, but look for any abnormal calls.
There is also some kind of conflict as to whether the md5sums match. If you have a good copy of tar (tar was flagged too) I'd save a copy of /proc with the command 'tar zcvf /destination.tgz /proc'. Then take the system offline and reboot with a live cd distro, mount the hd readonly and check the md5sums of the binaries in question and see if the match.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
