Re: Different MD5 from same kernel module tun.ko on different servers same distro
On Sun, Sep 3, 2017 at 9:17 AM, x9p wrote:
> the differences between both files doesn't look that much (vimdiff on xxd
> output below), just wondering what might have caused such differences
> between the same kernel module, from the same package, same distribution.
A better tool to compare binaries is diffoscope, it can disassembles
ELF binaries and compare the assembly.
Please upload the two tun.ko files to the trydiffoscope website so
that we can investigate the differences more closely:
https://try.diffoscope.org/
> 00037a0: 2f62 7569 6c64 2f6c 696e 7578 2d31 774a /build/linux-1wJ |
> 00037a0: 2f62 7569 6c64 2f6c 696e 7578 2d63 6835 /build/linux-ch5
> 00037b0: 4f58 392f 6c69 6e75 782d 332e 3136 2e34 OX9/linux-3.16.4 |
> 00037b0: 3366 412f 6c69 6e75 782d 332e 3136 2e34 3fA/linux-3.16.4
>
> 0003870: 696e 7578 2d31 774a 4f58 392f 6c69 6e75 inux-1wJOX9/linu |
> 0003870: 696e 7578 2d63 6835 3366 412f 6c69 6e75 inux-ch53fA/linu
>
> 00038a0: 2f62 7569 6c64 2f6c 696e 7578 2d31 774a /build/linux-1wJ |
> 00038a0: 2f62 7569 6c64 2f6c 696e 7578 2d63 6835 /build/linux-ch5
> 00038b0: 4f58 392f 6c69 6e75 782d 332e 3136 2e34 OX9/linux-3.16.4 |
> 00038b0: 3366 412f 6c69 6e75 782d 332e 3136 2e34 3fA/linux-3.16.4
These look like they are two different builds of the Debian Linux
kernel package. If you or your cloud provider did not rebuild the
Debian Linux kernel package, then it is possible your cloud server has
been compromised and tun.ko modified with the version from a different
build of the package.
Are there any other modified files on the system? You can use debsums to check.
PS: I would suggest upgrading to Debian stretch at some point.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: