Am 09.05.22 um 13:34 schrieb tmc@vandradlabs.com.au:
On 2022-05-09 18:04, Elmar Stellnberger wrote:Am 09.05.22 um 00:48 schrieb Tomasz Ciolek:5. have we eliminated other causes of file mismatch - bad/incomplete updates, corrupted HDD, bad RAM, user error ?If exactly such files have been changed where there is reason to manipulate them for a rootkit then one shall assume unequivocally that there is a rootkit installed. With bad RAM you get a system crash and with a physically bad hard disk you get filesystem errors on fsck,
Yes, bad cache ram written on a hard disk can at least by theory result in corrupted files on disk. If you read what I have written then you see my argument that then the whole program would have become unusable which is not the case for our example. Also I want to add that bad ram just causing file corruptions but no crash is somewhat very unlikely.
Not always true. I have experienced what looked like creeping file system corruption that was in the end tracked down to bad RAM. it only occred under heavy load when RAM was over-utilisedand then swapped out.
As said, I don´t really believe on what you tell here. By theory non-ECC ram can have errors, but these are very rare. Damaged ram on the other hand is damaged independent of the system load and it usually causes more severe/obvious effects. The probability that a corrupt ram block affects only block data but no kernel data structures is not that high as these tend to be interleaved.
none of which you get with a rootkit where only certain files have been manipulated intentionally. A broken update could theoretically result in a singleton file of half the size. Usually running programsagain I have seen bad/partial
An update can only leave a partial file that is a prefix of an original file, never a corrupted one. That is, if you read, what I have told. All modern Linux filesystems use journalling and there will be no corruption like eventually on old Windows machines.
> I would want to see more info9rmationa botu what diagnostics were > done before I cry rootkit. >You are one of the people who want to tell people that they are not infected by a rootkit, when they obviously are. My recommendation for everyone is, care not to trust such people! Besides this I have requested Sylvain to collect more information, as this can still be interesting.