rkhunter reported a single file change on a virtual server (netstat binary). It didn't report any other warning. The change was not the result of a package upgrade (I reinstalled it and the checksum is back as it was before).
I'm wondering whether this is a file corruption or an intrusion. I guess an intrusion would have changed many other files watched by rkhunter (or none if the intruder had access to rkhunter's database).
I disassembled both binaries with objdump -d
and stored the diff here: https://gist.github.com/3972886
The full dump diff generated with objdump -s
is here : https://gist.github.com/3972937
I guess a file corruption would have changed either large blocks or single bits, not small blocks like this.
Do these changes look suspicious? How could I investigate more?
The system is running Debian Squeeze.