The answer is that /usr/bin/login and /usr/bin/rdist were
changed by patches that were applied. Thanks go to
Michael J. Garcia and Mark Baldwin for quick replies.
> Last week I received a new Ultra 2 clone that
> came with Solaris 2.6 pre-installed. Before I ever
> put the machine on the Internet, I made backup copies
> of all pre-installed software and ran the MD5 hashing
> algorithm on all pre-installed files on the machine.
> Sometime since last Thursday night, the /usr/bin/login
> and /usr/bin/rdist files changed, i.e. the current
> executables have different sizes and different MD5
> hash values than they had when the machine came in the
> door. I recovered the original login and rdist
> programs from tape and moved the "new" files to
> different names and removed execute permissions.
> The differences are shown below:
> -r-sr-xr-x 1 root bin 53308 Mar 24 13:31 rdist
> MD5 (/usr/bin/rdist) = 15c104ba844e65d654a4e493864858bb
> -r-sr-xr-x 1 root bin 29192 Mar 24 13:30 login
> MD5 (/usr/bin/login) = 1f82ee53fdb7e77c74bd996f71c09eba
> Changed files:
> -r--r--r-- 1 root bin 53472 Jan 29 17:38 rdist.pre032498
> MD5 (/usr/bin/rdist.pre032498) = 6580854e3b31ff442b3d020fa48a033d
> -r--r--r-- 1 root bin 29340 Dec 16 15:50 login.pre032498
> MD5 (/usr/bin/login.pre032498) = 2882aa75dd654e391382b2553f75655f
> Does anyone know if there is any normal reason for
> these key files/programs to change size and MD5 hash value or
> have I been hacked?
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:34 CDT