md5sum /bin/netstat changed !

[toinat]

Hi all, i am using fedora 15 and did checksum for /bin/netstat

PHP Code:

e3cb2502dc23cd54efca486c4d0a0c10  /bin/netstat 


ISO checksum

PHP Code:

e49fa0c1c9acd590d894d0a88e1009ec  /bin/netstat 


could you guide me if my device got hacked

[jpollard]

More likely an update change the checksum.

ISO files don't get updates. After you install updates, some/many/all may change - if nothing else than for updates to the runtime, which can trickle into updates for the application.

[marko]

I have Fedora 15 and I don't see that net-tools was ever updated, I just have the notation that it
was the dep-install so it's the package the OS came with:

yum history pkg net-tools
Loaded plugins: fastestmirror, langpacks, presto, security
ID | Action(s) | Package
-------------------------------------------------------------------------------
1 | Dep-Install | net-tools-1.60-117.fc15.x86_64
history pkg

I routinely run a check-update so I know that it's not that I've not updated just
recently and the OP did update.

[JEO]

Most of the time this is due to the daily cron job of prelink. Try to unlink the file using prelink command and see what happens to the checksum.

[PabloTwo]

If you want to check if there is an md5sum change on the file /bin/netsat, then you use rpm to VERIFY the contents of everything the package that installed /bin/netstat.

Code:

rpm -V net-tools

A return of nothing from the above command indicates all files installed by that package are unchanged and valid.

---------- Post added at 08:04 PM ---------- Previous post was at 07:52 PM ----------

If any file in the package has changed, there will be a list of 9 items. A "dot" means no change. A "dot" replaced by a letter has these meanings:

Quote:

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ

If you get any file flagged with a "5", it will almost certainly also have a "T" and "S" flag as well.

[toinat]

PHP Code:

 yum history pkg net-tools
Loaded plugins: langpacks, presto, refresh-packagekit
ID     | Action(s)      | Package                                              
-------------------------------------------------------------------------------
     2 | Updated        | net-tools-1.60-115.fc15.i686                       EE
     2 | Update         |           1.60-117.fc15.i686                       EE
     1 | Dep-Install    | net-tools-1.60-115.fc15.i686                         
history pkg 


PHP Code:

System checks summary
=====================

File properties checks...
    Required commands check failed
    Files checked: 135
    Suspect files: 0

Rootkit checks...
    Rootkits checked : 246
    Possible rootkits: 0

Applications checks...
    All checks skipped

The system checks took: 3 minutes and 1 second

All results have been written to the log file (/var/log/rkhunter/rkhunter.log)

One or more warnings have been found while checking the system.
Please check the log file (/var/log/rkhunter/rkhunter.log) 


PHP Code:

rpm -V procps 


PHP Code:

rpm -V net-tools 


A return of nothing from the above command.

PHP Code:

 md5sum /bin/* 
915f47a4ce27382b57507a07994a724a  /bin/alsaunmute
5f32b2be62fc83c66fc21429cac095ba  /bin/arch
4e54a199b362c9d13bd556a054f6922f  /bin/awk
cfe621c816a994b8cae7e9ac886588db  /bin/basename
2472f9096fc3fe0715d3cd6ffc068c46  /bin/bash
b5c716b734906feb6e297eb3e162f3d2  /bin/cat
9e45940da78b9a6115513ae4775d818f  /bin/cgclassify
fcdac32509e7d4d4946db47694a9509b  /bin/cgcreate
feae74026b44cca1a83bd1a377fb9918  /bin/cgdelete
64297193861ddb4ca5a85a6efcde13f2  /bin/cgexec
c83339d1b07ebcaa523280b15c59823b  /bin/cgget
65d21cecc4646a811d188131f82a22e6  /bin/cgset
f399b71ecdfbf6acc6fededdbca0ae9c  /bin/cgsnapshot
cbb23a7e8503294c7fb8f942159d1852  /bin/chgrp
ba0f89a562cf50a8d1f0f109dcb6d504  /bin/chmod
c8cf7cb654a363b2d635dce913643897  /bin/chown
9eeca19579c1227fcbb174bd5fd4128a  /bin/cp
c04fac2f251c2da8fbf330bf073d6172  /bin/cpio
4468a43a0f53f2a454da8364affb5479  /bin/cut
75cf1818da2c26583854fa4e3d621a27  /bin/dash
0a66d8d9e48aa87f4ce72cf007be4c45  /bin/date
f820a2007ffe5e10875f569ea757ca66  /bin/dbus-cleanup-sockets
2b9af28a2272852e0469ef1d33775f7f  /bin/dbus-daemon
930bcbbbdea4602e3ae552d6520137a7  /bin/dbus-monitor
62f9a8dc80f6a7c5de03ce630b1a3f56  /bin/dbus-send
da7bff544d8e75e9a45f80e5e469287e  /bin/dbus-uuidgen
bf3873b05e96eece5bb38c0d1421a277  /bin/dd
89e2d3eaa4ab9715b0ea55cc44fb4e19  /bin/df
a0a515cd6fcbe7859a3cefd8f1f860af  /bin/dmesg
7c4a20f5da0bf9ef15348ac6425e6260  /bin/dnsdomainname
7c4a20f5da0bf9ef15348ac6425e6260  /bin/domainname
654131ea0868bb15aeb8fc4026e5024b  /bin/dumpkeys
9c1731d6a77ff89053321b965da660ed  /bin/echo
2ceccf49449064505e3d295a91dbb9ca  /bin/ed
781ee6d3e1e4eecfd73e83e45e5ad48e  /bin/egrep
b008ea899be8a1744c5ad756d81976f2  /bin/env
d264c8a002ae9816477c0d4ba851cf74  /bin/ex
c326ecd3f6be25361f05d96e00c4bb58  /bin/false
9946e613bb506391dd6f990c20529e49  /bin/fgrep
1d6ecb55c851114be6f6a7ae19a0942d  /bin/find
1aa1b0f6673b456f11fb210df089fe8a  /bin/findmnt
1b220d44c6b733ffb27b741a0d4fe236  /bin/fusermount
4e54a199b362c9d13bd556a054f6922f  /bin/gawk
b6da424fbffd403af5e3fd852bf25cb2  /bin/grep
c64ee6992b110a450aa09456f592ef8a  /bin/gtar
c162fdaa1b9b625d839a8b8e8d31aafc  /bin/gunzip
1c2421bb842e841f054e5f4cbd61b8e5  /bin/gzip
7c4a20f5da0bf9ef15348ac6425e6260  /bin/hostname
4b294d192859c057b661f64afcdaefe1  /bin/ipcalc
ed1dee08b88cfe253da24d6e16485bda  /bin/iptables-xml
02e455ed8d2654e5db775496d7d8efb4  /bin/kbd_mode
de66d9b4a804cfce1f2e60a7b30ade8b  /bin/keyctl
ef02cbe36647992d72b323f0ea8fb1f5  /bin/kill
899c72b3a613355ea36f96b3cb0e7c0b  /bin/link
96b8990f2bd3a3ff01cc51941147803b  /bin/ln
d5b34fef54e91f5c25d29377b95a65eb  /bin/loadkeys
58aa91ebb4271dfac2fa35ec29efac98  /bin/login
3c7087ca161d42dc6fb895982e1265d5  /bin/lowntfs-3g
603053bdff3d5bb1b2759fc619813284  /bin/ls
1027c68312cf19853f418fb08150f247  /bin/lsblk
d1ea9b0c0cd1330268a501bbb2cba50d  /bin/lscgroup
6b500401b42a0c95813ca7a5fb0a5dce  /bin/lssubsys
a89359742c1cb5393e0870e3b4c519d1  /bin/mail
a89359742c1cb5393e0870e3b4c519d1  /bin/mailx
30b20325d7f414ecbb731e2436ecd048  /bin/mkdir
79bccc2900336d1ae8a1e87ac08594fe  /bin/mknod
a96749601d5c5a10ffdfa91550248fea  /bin/mktemp
fedd8c7cb2713adb87b5f00cbfb53dcd  /bin/more
076e38e8e8a0e228128c05b783a3c30c  /bin/mount
13ed1c3ec457d1162fa22fbd7c921aae  /bin/mountpoint
208bd2feca27a6440562afcdc164bbb1  /bin/mv
e3cb2502dc23cd54efca486c4d0a0c10  /bin/netstat
63de0b585be80793bdd0d3ef218833c3  /bin/nice
7c4a20f5da0bf9ef15348ac6425e6260  /bin/nisdomainname
76eb88749ed844cfd2f53e3dcc2578bc  /bin/ntfs-3g
ec68c3d3a396bc00771108e52986029d  /bin/ntfs-3g.probe
1af8b0f7ba8682004ed314572498ea07  /bin/ntfs-3g.secaudit
77bf143b2c72bb28b21f282d13c7a241  /bin/ntfs-3g.usermap
e0b965bda2a04719e67dc2e6e3060e6f  /bin/ntfscat
eee60527baa759826cd374453169c50f  /bin/ntfsck
f626a3062ce32f7a7fbf63179519add5  /bin/ntfscluster
6d8a215b5ed9f6dff8b290192bb0a157  /bin/ntfscmp
30200d70be79e16da378b35421c2c86d  /bin/ntfsdecrypt
64538488866c0620931e5b4adb319e8a  /bin/ntfsdump_logfile
45e468820de348b2a791442dbd9a3009  /bin/ntfsfix
55c72c900e055391f7748085d028a5a0  /bin/ntfsinfo
ec4efe2f08eb87b60a40aa68b8303855  /bin/ntfsls
d4cc1543b5a362aad8c942d1b576a693  /bin/ntfsmftalloc
76eb88749ed844cfd2f53e3dcc2578bc  /bin/ntfsmount
da95eefff356ebf13874b927027deb75  /bin/ntfsmove
b7e1eaa6051764e055b2c1c462c69de5  /bin/ntfstruncate
143e4df5b2a04dd8d3826e56cd877696  /bin/ntfswipe
405bc899cc0671671899f121a4be7777  /bin/ping
851448adbe4c60178946b34aa00d463c  /bin/ping6
2298ebde1b628a07073f12ef4d280a37  /bin/plymouth
a80bf66d2f33ccf95ac09a777025393a  /bin/ps
907e92330369dfc619125559b60aa93f  /bin/pwd
2d5e5c7d05ee53a835f91179693d1af2  /bin/readlink
7ee1c42c8afd7a5fb6cccc6fa45c08de  /bin/red
3b7f2d0f078fba1aa563ce128f7e60b1  /bin/rm
1e7e447894ac93b6b3a2f13e3a54cc6b  /bin/rmdir
81c4bf2cb83b3ae5d664cce48b7b56f5  /bin/rpm
d264c8a002ae9816477c0d4ba851cf74  /bin/rvi
d264c8a002ae9816477c0d4ba851cf74  /bin/rview
9b15bb35c8294ed54448426543179e1a  /bin/sed
9a42ea3b9bc572bc7979f308ea8f81c4  /bin/setfont
d340c90395b3ff1ec7d0e190e1048914  /bin/setserial
2472f9096fc3fe0715d3cd6ffc068c46  /bin/sh
532e6140e81490b9d4bc7ebba2f5eaac  /bin/sleep
09254962d52b96668c3edbe6df58d2c2  /bin/sort
c62293790ffdff83638d7f494f12abc7  /bin/stty
6e623b25ec88aa719a78826f5a089b8f  /bin/su
4c1fb64651a4af58e6ba4c6b597a50eb  /bin/sync
f76f4a4ff0fd66eb5170d62b195c02fb  /bin/systemctl
8043496467ccd6eb857d3f67568e8ed8  /bin/systemd
e6fffeb3a4cc420e7fa7f584b0596aa2  /bin/systemd-ask-password
5e467c7b1d1838d61729f4178b7d56b0  /bin/systemd-machine-id-setup
6337b74c7a092a8cc794a5ee40e836a5  /bin/systemd-notify
e3c3a00481d98f54c60de1c369c33ea7  /bin/systemd-tmpfiles
ea4d21016927124f07d8e1d133efd657  /bin/systemd-tty-ask-password-agent
c64ee6992b110a450aa09456f592ef8a  /bin/tar
0855dbdbb39e42bb7184f9e7cf16da34  /bin/taskset
5dad30bb89724f7b940f6c3e684b3c2d  /bin/touch
14ce3dc822d8860f346faf284ca7c630  /bin/tracepath
14a63eeaaf97342387349cec4ed41abc  /bin/tracepath6
de8b8b564bebfde2ee6ae69ccfb5ea63  /bin/traceroute
de8b8b564bebfde2ee6ae69ccfb5ea63  /bin/traceroute6
211cfd0c85be446e2ce1dd2227fc8b10  /bin/true
027966fad321387b6ffa16abe0b1449d  /bin/ulockmgr_server
60223184f0c1f476645f704676f07141  /bin/umount
a443ada1e003535fad2b0bc65d8b14ab  /bin/uname
e383a9d11e718859f806cbba879a7b29  /bin/unicode_start
0c3cdb7c0bc23eca433f0fa37e122f5b  /bin/unicode_stop
299ce9c5538fd508663d9840013e811e  /bin/unlink
3a100386a74e1731149f7a1b002a4101  /bin/usleep
d264c8a002ae9816477c0d4ba851cf74  /bin/vi
d264c8a002ae9816477c0d4ba851cf74  /bin/view
7c4a20f5da0bf9ef15348ac6425e6260  /bin/ypdomainname
f03816ea91a09a2697b5b5fcce860146  /bin/zcat 


Thats what i got

[gUrUr2]

just do

Code:

yum verify

and see if the file is reported there. If not then the checksum is correct.