PDA

View Full Version : Binaries changing after install?



studout
04-01-2004, 11:27 PM
Hi,

I installed knoppix 3.3 2003-11-19 to my disk using knx-hdinstall.
Just after install I ran a file integrity checker to get a base line for the system.
Soon thereafter, I noticed that the checksum (md5, sha1, ...) of ALL of the ELF binaries in /bin changed. This is also true for all of the shared objects in /lib, /lib/lvm-10, /sbin, /usr/X11R6/bin, /usr/X11R6/lib, /usr/bin, and others.

/bin/dd, for example, changed in size from 26772 bytes to 23948 bytes.
file reports the original dd and the new dd as both being stripped, not that file is the final authority, but still it is a clue.

I seriously doubt that this was a rootkit, something in the range of 7000 files changed. A worm or rootkit just wouldn't need to change that many files. Furthermore, this has happened to me one other installs of this version of knoppix.

Does anyone know why this happened? Is there a program that goes through and does some further strip on binaries? Perhaps they need relocatable code when on the CD and once installed that can be removed? -fPIC or some such thing?

Thank you,
Studout