What is vmlinuz and why do I care?

I just got a network alert that I've never seen before, on one of the few Ubuntu boxes that we have:

The following monitoring trigger has been fired:

/vmlinuz has been changed on server XXXXX: PROBLEM
2012.09.19 06:24:33
Trigger key: vfs.file.cksum[/vmlinuz]
Value: 3397367448
Host: XXXXX

The checksum of vmlinuz changed. I see from Wikipedia that this has something to do with the kernel.

Should I care that its checksum has changed? This particular server does run Wordpress which is known for vulnerabilities in its 3rd party plugins, so I tend to take alerts from it pretty seriously.


I'm making the conclusion that this server has been compromised. Better safe than sorry, as /var/log/apache2/access.log is 0 bytes, and there should be a bit (not much, but a bit) of data in there, and it clearly looks like something (a bot most likely) covering their tracks. Time to pull out last nights backup :)


This is the compressed kernel and you should care if it ever changed without you knowing about it, because if the kernel was replaced, you could be open to any attack. It may have been a legitimate reason, but unless you are sure, you should not trust the changed kernel.


I see from Wikipedia that this has something to do with the kernel

That is an understatement: The vmlinuz file is the kernel itself. It is this file which gets loaded when you boot your server, then it gets uncompressed (hence the 'z'), and then started.

If you recompiled or installed a new kernel then there is nothing to worry about. If you did no such thing then look closely at this file, or replace it with a know good version.

Making this file read-only with chattr and disallowing root to change this until after a reboot is also a good idea.


It is not something that has to do with your kernel, it is your kernel. If you reboot, and that file is corrupt, proverbial shit is going to hit the proverbial fan.

Did you have a kernel update at the time mentioned in the message?


That is the compressed (hence the "z") kernel image. It should have not changed short of you performing a kernel upgrade.

I'd guess that you are wise in your suspicion that this may be due to a vulnerability, but as you know, it could also be due to underlying disk or fs issues, in which case you should be seeing other file system error logs. Either way, it's something to check into.