A server I host is having very rare glitches where a file the user downloads will have incorrect contents. This almost never happens when I am looking, I caught it once and only once -- a user messaged me saying his antivirus had given him a warning about an image file downloaded from his webspace, I downloaded it myself and found that it was a text file full of cialis misspellings.
The file as stored was unaltered, and the next time I downloaded the file it was innocent again. I'm so far unable to find any rogue processes, users, or even any obvious way this substitution could have been made.
Right now I'm doing a brute-force check of all installed binary files in my system, doing checksums to compare them to their stored values, but that hasn't turned up anything useful yet.
I suspect this is rather some sort of bizzare network attack, but have only a vague idea what or how... I once read about the wireless toy airpwn, which operates by injecting response packets before the real response arrives. There are other computers on the same switch as the server, other computers I don't control. Could they be spoofing me?
I hope it's not too late, but let me rephrase and try to think (though it's hard when Dream Theater are injecting stereo sounds directly into the brain )
The user downloaded the file, and it was corrupted - the user is on a totally different than your location, right ? Then, you downloaded it, and it was bad again. Then, the file, on the server, was OK ? To me, it sounds that someone with access has changed the file while it was on the server and you should rather dig into the server's access logs. While it's possible that someone will spoof you via those insecure Wi-fi networks and protocols, do you really suspect someone in your area messing with files ? If it's the infamous cialis - have you check the anti-virus status of the systems ? My $0.2.
The file was not modified. Its state on the server appears to have always been clean.
There's no wireless involved. airpwn was just an example of the principle I was thinking of -- if you're in the same medium/switch and catch an incoming request, it may be possible to respond before the real recipient does. It's not computers "in the same area" as much as the same building, on the same switch.
That was my first guess. What I was actually wondering was whether that was possible, to spoof another IP address of something on the same switch.
The incident hasn't been repeated, which seems really odd if anything in the system has actually been compromised. Maybe it happened because of something on the uploader's machine.
)