FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 07-04-2012, 02:24 PM
"James B. Byrne"
 
Default Strange alterations to vim and related packages on KVM host

OS CentOS-6.2 with updates to present.

I use git on this host to manage configuration changes and to monitor
package alterations. This is not meant to be a security check. It is
simply a way for me to easily recover from fumble fingered
configuration changes.

Yesterday git status reported that the following files had changed
since the previous commit:

# modified: ../usr/bin/gdb
# modified: ../usr/bin/gvim
# modified: ../usr/bin/vim

I therefore reinstalled these three packages using yum reinstall and
committed the change to git.

commit b87a8b2116ef22cc013fd5dc6f525d672d52570a
Author: sysadmin.root.vhost01.hamilton
<sysadmin.root.vhost01.hamilton@harte-lyn
Date: Tue Jul 3 16:22:34 2012 -0400

Reinstalled gdb, vim and vim-X11 due to unexpected changes in
executable files.


This morning git reports the same three files have again changed.

# On branch master
# Changed but not updated:
# (use "git add <file>..." to update what will be committed)
# (use "git checkout -- <file>..." to discard changes in working
directory)
#
# modified: ../etc/virsh.run
# modified: .Xauthority
# modified: .bash_history
# modified: ../selinux/policy
# modified: ../usr/bin/gdb
# modified: ../usr/bin/gvim
# modified: ../usr/bin/vim
#
# Untracked files:
# (use "git add <file>..." to include in what will be committed)
#
# ../.readahead_collect

When I check the differences git simply reports that the binary files
are difference but, after I reinstalled them all yesterday I noted
that the file modification times of the replaced files and their
respective reinstalled files were the same but their file sizes were
not.

Given what I have committed to the git repository I am satisfied that
these are the only system files that have changed. None of the files
in /var/log show any entries relating to these files immediately prior
to the reinstall yesterday. What entries do exist go back to when the
software was first installed and none are more recent than several
months ago. The git commit on this host previous to yesterday was the
Kernel update on June 19. At that time the subject files were the same
as when they were originally installed.

This host does not accept any direct IP connections from IP addresses
outside our internal server subnet (a.b.c.0/192). Access is blocked
via IPTables at the gateway and again on the host itself. Some VM
guests do allow public or otherwise less restricted access but the VM
host itself does not.

I am of course deeply suspicious of these circumstances but I cannot
see how this could be the result of some outside agency. Therefore, I
am at a loss to explain these changes. What I need to discover is
what agency changed these files and why. In the meantime I have
removed the gdb, vim-enhanced and vim-X11 packages from that host.

Has anyone else run across this sort of behaviour? Has anyone any idea
as to what is going on here?



--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-04-2012, 06:32 PM
"James B. Byrne"
 
Default Strange alterations to vim and related packages on KVM host

On Wed, July 4, 2012 11:51, John Doe wrote:
> From: fred smith <fredex@fcshome.stoneham.ma.us>
>
>> On Wed, Jul 04, 2012 at 07:53:09AM -0700, John Doe wrote:
>>>
>>> Did you rpm verify?
>>> # rpm -qV vim-enhanced

Yes

>>> # rpm -qV gdb

Yes

>>> Did you diff the text files?

The files other than those in /usr/bin I know the cause of their
alteration. It is caused by my ssh accesses.

>>> Did you "binary diff" the binaries?

No

>>> How many bytes difference? constant number?
>>
>> prelink???

It seems so:

[root@vhost01 ~]# yum install gdb
. . .
[root@vhost01 ~]# ll /usr/bin/gdb
-rwxr-xr-x. 1 root root 4453160 Dec 7 2011 /usr/bin/gdb
[root@vhost01 ~]# mv /usr/bin/gdb /usr/bin/gdb.cln
[root@vhost01 ~]# cp -p /usr/bin/gdb.cln /usr/bin/gdb
[root@vhost01 ~]# ll /usr/bin/gdb*
-rwxr-xr-x. 1 root root 4453160 Dec 7 2011 /usr/bin/gdb
-rwxr-xr-x. 1 root root 1061 Dec 7 2011 /usr/bin/gdb-add-index
-rwxr-xr-x. 1 root root 4453160 Dec 7 2011 /usr/bin/gdb.cln
lrwxrwxrwx. 1 root root 3 Jul 4 14:16 /usr/bin/gdbtui -> gdb
[root@vhost01 ~]# prelink -v /usr/bin/gdb
Prelinking /usr/bin/gdb
[root@vhost01 ~]# ll /usr/bin/gdb*
-rwxr-xr-x. 1 root root 4468992 Dec 7 2011 /usr/bin/gdb
-rwxr-xr-x. 1 root root 1061 Dec 7 2011 /usr/bin/gdb-add-index
-rwxr-xr-x. 1 root root 4453160 Dec 7 2011 /usr/bin/gdb.cln
lrwxrwxrwx. 1 root root 3 Jul 4 14:16 /usr/bin/gdbtui -> gdb

Which accounts for the size changes as far as I can see. I infer that
the linked sizes likely changed as a result of system library updates
associated with the recent kernel update.

Thank you for the help.

>
> I do not think prelink would alter text configuration files like
> .Xauthority or .bash_history

Those files I expected to change and I am aware of the the cause. It
is only the files in /usr/bin that concern me.



--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 07-04-2012, 09:06 PM
Rob Kampen
 
Default Strange alterations to vim and related packages on KVM host

On 07/05/2012 03:51 AM, John Doe wrote:

From: fred smith<fredex@fcshome.stoneham.ma.us>


On Wed, Jul 04, 2012 at 07:53:09AM -0700, John Doe wrote:

From: James B. Byrne<byrnejb@harte-lyne.ca>
> Yesterday git status reported that the following files had changed
> since the previous commit:
> # modified: ../usr/bin/gdb
> # modified: ../usr/bin/gvim
> # modified: ../usr/bin/vim
>
> # modified: ../etc/virsh.run
> # modified: .Xauthority
> # modified: .bash_history
> # modified: ../selinux/policy
> # modified: ../usr/bin/gdb
> # modified: ../usr/bin/gvim
> # modified: ../usr/bin/vim
> #
> When I check the differences git simply reports that the binary files
> are difference but, after I reinstalled them all yesterday I noted
> that the file modification times of the replaced files and their
> respective reinstalled files were the same but their file sizes were
> not.

Did you rpm verify?
# rpm -qV vim-enhanced
# rpm -qV gdb
Did you diff the text files?
Did you "binary diff" the binaries?
How many bytes difference? constant number?

prelink???

I do not think prelink would alter text configuration files like .Xauthority or .bash_history
No - the simple act of logging in did that - my vote is for prelink -
git is probably unaware of prelink.


JD

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org