You are not logged in.

Pages: 1

#1 2024-07-25 05:53:54

Inu_Tokisaki
Member
Registered: 2024-01-21
Posts: 19

[SOLVED] My binaries were modified during shutdown

Hello,
I ran rkhunter on my system and got many warnings, all of them were about files being modified. What concerns me is that the most of the files have the time of the modification when my laptop was actually turned off.

This is one of the examples:

sudo cat /var/log/rkhunter.log | grep "02-Jul"
[18:50:45]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:46]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:46]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:46]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:47]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:50]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:55]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:50:56]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:51:03]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:51:04]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)
[18:51:04]          Current file modification time: 1719918993 (02-Jul-2024 13:16:33)

I tried to confirm this using stat on one of the binaries:

  File: /usr/bin/groups
  Size: 14392     	Blocks: 32         IO Block: 4096   regular file
Device: 259,5	Inode: 11815013    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-07-22 18:50:46.518006158 +0200
Modify: 2024-07-02 13:16:33.000000000 +0200
Change: 2024-07-22 18:41:51.020896265 +0200
 Birth: 2024-07-22 18:41:51.020896265 +0200

This is my boot list around that time:

-36 b1dfb8311f3c42dea9bbf98cd8d31390 Mon 2024-07-01 17:44:32 CEST Mon 2024-07-01 20:40:33 CEST
-35 81c1b780ac5e4bb6bd3f354d60adfadb Wed 2024-07-03 17:19:18 CEST Wed 2024-07-03 17:21:20 CEST
-34 0bf51de2ae8944b898659370b9bed4eb Wed 2024-07-03 17:21:34 CEST Wed 2024-07-03 17:42:13 CEST
-33 b952a6261e9b4f5ca81f648f85d4056d Thu 2024-07-04 21:46:47 CEST Thu 2024-07-04 23:46:48 CEST
-32 5d281489df0848ebb0da6b7a620b72a8 Fri 2024-07-05 13:16:51 CEST Fri 2024-07-05 19:58:24 CEST

As you can see, the laptop was not even booted that day, the similar modification happened also on 03 Jul and 04 Jul during the time the laptop was also turned off. How is this possible?

Thanks for answer.

Last edited by Inu_Tokisaki (2024-07-25 16:56:39)

Offline

#2 2024-07-25 06:50:17

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,652
Website

Re: [SOLVED] My binaries were modified during shutdown

https://unix.stackexchange.com/question … -of-a-file

tl;dr: The modification time is the time when the file's content last changed, usually during packaging, i.e. when it was created.
If the packager created the file on 2024-07-02 and you upgrade your system and install it on 2024-07-22, the modification time will still be 2024-07-02.

Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#3 2024-07-25 06:57:03

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 75,932

Re: [SOLVED] My binaries were modified during shutdown

I ran rkhunter on my system and got many warnings

https://www.google.com/search?q=rkhuter … 0positives

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Online

#4 2024-07-25 08:17:08

Inu_Tokisaki
Member
Registered: 2024-01-21
Posts: 19

Re: [SOLVED] My binaries were modified during shutdown

schard wrote:

tl;dr: The modification time is the time when the file's content last changed, usually during packaging, i.e. when it was created.
If the packager created the file on 2024-07-02 and you upgrade your system and install it on 2024-07-22, the modification time will still be 2024-07-02.

My point is that the time shown is the time when my laptop was off, I would expect that system changes would be possible only if the system is running, not when it is off. You said that the packager could create the file on 2024-07-02 but it is possible when the system was turned off?

Offline

#5 2024-07-25 08:18:48

Inu_Tokisaki
Member
Registered: 2024-01-21
Posts: 19

Re: [SOLVED] My binaries were modified during shutdown

seth wrote:

I ran rkhunter on my system and got many warnings

https://www.google.com/search?q=rkhuter … 0positives

I know that rkhunter only compares file stats to the known states, I am just curious about file being modified when the system was turned off.

Offline

#6 2024-07-25 08:33:17

seth
Member
From: Won't reply 2 private help req
Registered: 2012-09-03
Posts: 75,932

Re: [SOLVED] My binaries were modified during shutdown

But the packagers system wasn't Off - your system ideally doesn't modify that File at all and from the presented Data also didn't.
Run pacman -Qkk

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Online

#7 2024-07-25 08:34:21

WorMzy
Administrator
From: Scotland
Registered: 2010-06-16
Posts: 13,541
Website

Re: [SOLVED] My binaries were modified during shutdown

Inu_Tokisaki wrote:
schard wrote:

tl;dr: The modification time is the time when the file's content last changed, usually during packaging, i.e. when it was created.
If the packager created the file on 2024-07-02 and you upgrade your system and install it on 2024-07-22, the modification time will still be 2024-07-02.

My point is that the time shown is the time when my laptop was off, I would expect that system changes would be possible only if the system is running, not when it is off. You said that the packager could create the file on 2024-07-02 but it is possible when the system was turned off?

The packager did not use your machine to create the package. The packager used either their own machine or a build server to create the package, which they then pushed to the Arch Linux mirrors. You then downloaded the package from a mirror, and extracted the contents. You did not modify the extracted binary between then and now, so the "last modified" time remains when the packager created the package.

You can confirm what time a package was built by using 'pacman -Qo' to identify what owns the file in question, then checking the metadata for that package with 'pacman -Qi'. e.g.

$ pacman -Qo /usr/bin/groups
/usr/bin/groups is owned by shadow 4.16.0-1
$ pacman -Qi shadow
Name            : shadow
Version         : 4.16.0-1
Description     : Password and account management tool suite with support for shadow files and PAM
Architecture    : x86_64
URL             : https://github.com/shadow-maint/shadow
Licenses        : BSD-3-Clause
Groups          : None
Provides        : None
Depends On      : glibc  acl  libacl.so=1-64  attr  libattr.so=1-64  audit  libaudit.so=1-64  libxcrypt
                  libcrypt.so=2-64  pam  libpam.so=0-64  libpam_misc.so=0-64
Optional Deps   : None
Required By     : accountsservice  base  git  util-linux
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 3.86 MiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : Tue 02 Jul 2024 12:16:33 BST
Install Date    : Wed 10 Jul 2024 21:36:24 BST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD

Making lemonade from lemons since 2015.

Offline

#8 2024-07-25 16:55:03

Inu_Tokisaki
Member
Registered: 2024-01-21
Posts: 19

Re: [SOLVED] My binaries were modified during shutdown

WorMzy wrote:

The packager did not use your machine to create the package. The packager used either their own machine or a build server to create the package, which they then pushed to the Arch Linux mirrors. You then downloaded the package from a mirror, and extracted the contents. You did not modify the extracted binary between then and now, so the "last modified" time remains when the packager created the package.

You can confirm what time a package was built by using 'pacman -Qo' to identify what owns the file in question, then checking the metadata for that package with 'pacman -Qi'. e.g.

$ pacman -Qo /usr/bin/groups
/usr/bin/groups is owned by shadow 4.16.0-1
$ pacman -Qi shadow
Name            : shadow
Version         : 4.16.0-1
Description     : Password and account management tool suite with support for shadow files and PAM
Architecture    : x86_64
URL             : https://github.com/shadow-maint/shadow
Licenses        : BSD-3-Clause
Groups          : None
Provides        : None
Depends On      : glibc  acl  libacl.so=1-64  attr  libattr.so=1-64  audit  libaudit.so=1-64  libxcrypt
                  libcrypt.so=2-64  pam  libpam.so=0-64  libpam_misc.so=0-64
Optional Deps   : None
Required By     : accountsservice  base  git  util-linux
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 3.86 MiB
Packager        : David Runge <dvzrv@archlinux.org>
Build Date      : Tue 02 Jul 2024 12:16:33 BST
Install Date    : Wed 10 Jul 2024 21:36:24 BST
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

This explanation was something I was looking for, thank you.

Offline

Pages: 1

Board footer

Powered by FluxBB