What is vmlinuz and why do I care?

Posted on

What is vmlinuz and why do I care? – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, ubuntu, alerts, vmlinuz, .

I just got a network alert that I’ve never seen before, on one of the few Ubuntu boxes that we have:

The following monitoring trigger has been fired:

/vmlinuz has been changed on server XXXXX: PROBLEM
2012.09.19 06:24:33
Trigger key: vfs.file.cksum[/vmlinuz]
Value: 3397367448

The checksum of vmlinuz changed. I see from Wikipedia that this has something to do with the kernel.

Should I care that its checksum has changed? This particular server does run WordPress which is known for vulnerabilities in its 3rd party plugins, so I tend to take alerts from it pretty seriously.

I’m making the conclusion that this server has been compromised. Better safe than sorry, as /var/log/apache2/access.log is 0 bytes, and there should be a bit (not much, but a bit) of data in there, and it clearly looks like something (a bot most likely) covering their tracks. Time to pull out last nights backup 🙂

Solution :

This is the compressed kernel and you should care if it ever changed without you knowing about it, because if the kernel was replaced, you could be open to any attack. It may have been a legitimate reason, but unless you are sure, you should not trust the changed kernel.

I see from Wikipedia that this has something to do with the kernel

That is an understatement: The vmlinuz file is the kernel itself. It is this file which gets loaded when you boot your server, then it gets uncompressed (hence the ‘z’), and then started.

If you recompiled or installed a new kernel then there is nothing to worry about. If you did no such thing then look closely at this file, or replace it with a know good version.

Making this file read-only with chattr and disallowing root to change this until after a reboot is also a good idea.

It is not something that has to do with your kernel, it is your kernel. If you reboot, and that file is corrupt, proverbial shit is going to hit the proverbial fan.

Did you have a kernel update at the time mentioned in the message?

That is the compressed (hence the “z”) kernel image. It should have not changed short of you performing a kernel upgrade.

I’d guess that you are wise in your suspicion that this may be due to a vulnerability, but as you know, it could also be due to underlying disk or fs issues, in which case you should be seeing other file system error logs. Either way, it’s something to check into.

Leave a Reply

Your email address will not be published.