Suspicious file

petervg · March 8, 2011, 11:02am

Hi All,

I'm investigating a suspicious file on AIX but have not enough knowledge about the AIX patch environment.

My situation:

# ls -l /usr/bin/shell
sys1: -r-sr-xr-x    1 root     security       5326 Jun 05 2009  /usr/bin/shell
sys2: -r-sr-xr-x    1 root     security       5294 Jun 20 2006  /usr/bin/shell

Why are both files not the same regarding date and size?

# oslevel -s
sys1: 5300-11-02-1007
sys2: 5300-11-02-1007

# lslpp -L | grep bos.rte.security
sys1:   bos.rte.security          5.3.11.1    C     F    Base Security Function
sys2:   bos.rte.security          5.3.11.1    C     F    Base Security Function

As far as I can see both system are running the same OS (level and patches).

What worries me is that other files in the bos.rte.security fileset are equal on both systems regarding date and size. So why is /usr/bin/shell different?

What is the AIX procedure to investigate this case?

Is there a way to find the patch/apar that contains /usr/bin/shell so I can found the date and size /usr/bin/shell should be?

Greetings,
Peter

Corona688 · March 8, 2011, 11:52am

That's small enough it might even be a shell script, you can look at it with less or compare with diff and see what's different...

juredd1 · March 8, 2011, 12:23pm

I have a server setting at AIX 5300-06-03-0732 and one setting at AIX 5300-12-01-1016 and both came back with the same file size as your system #2. Also both file have the same cksum values. Since this is a executable (RISC System/6000) file it's kind of hard to do a diff, unless there is a command out there to diffs on this type of file.

Were both of these boxes installed in the same fashion? Just thinking maybe one was a migration and one was a fresh install from CD/DVD. I don't have a box that has a fresh install to compare. Just a thought.

Justin

petervg · March 9, 2011, 2:13am

Both systems were installed with the same method (NIM) but the base installation was not the same level.

# lslpp -ah bos.rte.security
sys1: 5.3.9.1 COMMIT COMPLETE 06/05/09 18:17:00
        5.3.11.1 COMMIT COMPLETE 03/06/10 10:57:45
        5.3.11 APPLY COMPLETE 03/06/10 10:52:51
sys2: 5.3.0.40 COMMIT COMPLETE 06/20/06 03:43:26
         5.3.11.1 COMMIT COMPLETE 03/06/10 11:46:51
        5.3.11.1 APPLY COMPLETE 03/06/10 11:30:06

Still wondering why thios one particular file was not update where all other files in bos.rte.security have dates matching the output of above lslpp command.

--Peter

zxmaus · March 9, 2011, 8:56pm

most likely this file is not updated ever by a ML/TL - so you keep what you had during base install of the OS - and when you installed different versions of the OS than you just have a slightly different version of this ?

Regards
zxmaus

frank_rizzo · March 16, 2011, 11:00pm

run

lslpp -w /usr/bin/shell

I think your looking at the wrong package.

petervg · March 17, 2011, 4:35am

$ lslpp -w /usr/bin/shell
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /usr/bin/shell                              bos.rte.security      File