equo sec oscheck --> altered files ?

Anything that pertains to Entropy, Equo or Sulfur

Moderator: Moderators

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

equo sec oscheck --> altered files ?

Post by ElDuderino » Tue Nov 18, 2014 1:46

Hi,

I ran this command today, and it printed a bunch of "altered files". Should I worry about that, or is it somehow "normal"?

Thanks,
The dude

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

Re: equo sec oscheck --> altered files ?

Post by ElDuderino » Sat Nov 29, 2014 20:53

I'm really a bit concerned, and would like to have an answer: does this necessarily mean, that my system has been compromised (I doubt that...)? Or could there be a good explanation?

marcb
Simple Hen
Posts: 99
Joined: Tue Jul 06, 2010 22:42

Re: equo sec oscheck --> altered files ?

Post by marcb » Sun Nov 30, 2014 10:56

actually what files are altered ? can you post an example? on my system the command list only files manually changed by me or by some system process such as: .cache files

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

Re: equo sec oscheck --> altered files ?

Post by ElDuderino » Sun Nov 30, 2014 18:18

Here is a 'grep'ed list of all altered files found:

http://pastebin.sabayon.org/pastie/17144

They seem to be regular files, and there are a lot of them.

marcb
Simple Hen
Posts: 99
Joined: Tue Jul 06, 2010 22:42

Re: equo sec oscheck --> altered files ?

Post by marcb » Sun Nov 30, 2014 22:35

I see a very long list of packages, but have you checked out what are the files altered?

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

Re: equo sec oscheck --> altered files ?

Post by ElDuderino » Mon Dec 01, 2014 0:44

Oh, sorry, here is the complete output, with the actual files altered. I certainly did not alter them manually.

http://pastebin.sabayon.org/pastie/17145

marcb
Simple Hen
Posts: 99
Joined: Tue Jul 06, 2010 22:42

Re: equo sec oscheck --> altered files ?

Post by marcb » Mon Dec 01, 2014 6:09

looks like filesystem corruption, you could try doing a new test installation or alternatively check hardware (memtest?)

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

Re: equo sec oscheck --> altered files ?

Post by ElDuderino » Wed Dec 03, 2014 17:40

My installation is very new, and I'm using btrfs. equo libtest says my system is fine. I doubt that my system would be running like it is if it had such a massive fs curruption? I do a memtest and report back.

User avatar
sabayonino
Sagely Hen
Posts: 3569
Joined: Sun Sep 21, 2008 1:12
Location: Italy
Contact:

Re: equo sec oscheck --> altered files ?

Post by sabayonino » Wed Dec 03, 2014 18:47

new install? memory corruption ? ...uuhmm

old announce (2010) : http://lxnay.wordpress.com/2010/12/08/g ... ts-cookin/
.3 [...] Integrated anti-rootkit functionalities (equo security oscheck). [...]
:?:

you can ask to devs ML or file a bug report


PS : I'm running SL into chroot directory to build my own packages from portage. and I have ...

Code: Select all

# equo sec oscheck
╠  @@ Checking system files...
╠  @@ dev-lang/spidermonkey-17.0.0: found altered files
╠  /usr/bin/js17
╠  /usr/bin/js17-config
╠  /usr/lib64/libmozjs-17.0.so
╠  @@ x11-libs/gdk-pixbuf-2.30.8: found altered files
╠  /usr/lib32/gdk-pixbuf-2.0/2.10.0/loaders.cache
╠  /usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders.cache
╠  @@ x11-themes/sabayon-artwork-loo-13: found altered files
╠  /usr/lib64/libreoffice/program/intro.png
╠  /usr/lib64/libreoffice/program/sofficerc
╠  @@ x11-libs/gtk+-3.12.2: found altered files
╠  /usr/lib64/gtk-3.0/3.0.0/immodules.cache
╠  @@ [546/1749] dev-lang/python-3.3.5-r1
[...]
@@ app-admin/equo-292: found altered files
╠  /etc/entropy/client.conf

Did you ever play with portage ?

@@ app-admin/equo-292: found altered files
╠ /etc/entropy/client.conf


I've edited this file for my purposes.
This file is/was altered by someone ... someone = me or could be other ( like package manager "portage" )


PPS : see help command for other "os check" options

Code: Select all

# equo sec oscheck -h
usage: equo security oscheck [-h] [--verbose] [--quiet] [--mtime]
                             [--assimilate] [--reinstall] [--ask | --pretend]
                             [--fetch]

optional arguments:
  -h, --help     show this help message and exit
  --verbose, -v  verbose output
  --quiet, -q    quiet output
  --mtime        consider mtime instead of SHA256 (false positives ahead)
  --assimilate   update hashes and mtime (useful after editing config files)
  --reinstall    reinstall faulty packages
  --ask, -a      ask before making any changes
  --pretend, -p  show what would be done
  --fetch        just download packages

Code: Select all

# equo sec oscheck --reinstall
could be solve d...

ElDuderino
Growing Hen
Posts: 129
Joined: Fri Jul 20, 2012 23:15

Re: equo sec oscheck --> altered files ?

Post by ElDuderino » Sat Dec 06, 2014 0:43

Could prelinking be the reason? Just remembered I have that enabled.

Post Reply