What is vmlinuz and why do I care?

linux ubuntu alerts vmlinuz

I just got a network alert that I've never seen before, on one of the few Ubuntu boxes that we have:

The following monitoring trigger has been fired:

/vmlinuz has been changed on server XXXXX: PROBLEM
2012.09.19 06:24:33
Trigger key: vfs.file.cksum[/vmlinuz]
Value: 3397367448
Host: XXXXX

The checksum of vmlinuz changed. I see from Wikipedia that this has something to do with the kernel.

Should I care that its checksum has changed? This particular server does run Wordpress which is known for vulnerabilities in its 3rd party plugins, so I tend to take alerts from it pretty seriously.

I'm making the conclusion that this server has been compromised. Better safe than sorry, as /var/log/apache2/access.log is 0 bytes, and there should be a bit (not much, but a bit) of data in there, and it clearly looks like something (a bot most likely) covering their tracks. Time to pull out last nights backup :)


This is the compressed kernel and you should care if it ever changed without you knowing about it, because if the kernel was replaced, you could be open to any attack. It may have been a legitimate reason, but unless you are sure, you should not trust the changed kernel.


I see from Wikipedia that this has something to do with the kernel

That is an understatement: The vmlinuz file is the kernel itself. It is this file which gets loaded when you boot your server, then it gets uncompressed (hence the 'z'), and then started.

If you recompiled or installed a new kernel then there is nothing to worry about. If you did no such thing then look closely at this file, or replace it with a know good version.

Making this file read-only with chattr and disallowing root to change this until after a reboot is also a good idea.


It is not something that has to do with your kernel, it is your kernel. If you reboot, and that file is corrupt, proverbial shit is going to hit the proverbial fan.

Did you have a kernel update at the time mentioned in the message?


That is the compressed (hence the "z") kernel image. It should have not changed short of you performing a kernel upgrade.

I'd guess that you are wise in your suspicion that this may be due to a vulnerability, but as you know, it could also be due to underlying disk or fs issues, in which case you should be seeing other file system error logs. Either way, it's something to check into.

Related

Installing HAProxy on CentOS 6.3?
Force HAProxy to lookup DNS for backend server
Ubuntu 16.04 Server MySql open_file_limit won't go higher than 65536
Set DNS server on OS X even when without internet connection
What is the best FREE VNC client and server compatible with Windows 7 and 2008 Server? [closed]
IIS7 - Basic Authentication Module missing?
Best compression for ZFS send/recv
Is there a way for administrators to disable users from installing Firefox extensions?
Is it possible to upgrade a Mac Pro (2007) with Lion (10.7) to Yosemite (10.10)?
Want scan-only virus removal, not real-time
Possible to prevent iPhone from automatically joining known networks?
Can't codesign due to " .DS_Store files cannot be a symlink"