Why does "cat | wc -c" shows different size than "ls -l" for a specific file?

Question

The distro is Ubuntu 22.04 and I'm running a newly-created ext4 filesystem that I have copied my setup to (using rsync on a different machine). I was running a manually written (python) filesystem performance test, which worked normally on different machines. Absolutely acidentally I discovered some sort of incorrect behavior in wc (or ls) which manifests itself only for a particular file on my system - as far as I have discovered now - /usr/bin/pkexec. If this is related, the box is running official Ubuntu's coreutils version 8.32-4.

This is an example of the action I'm talking about for any different file:

$ ls -l /usr/bin/top
-rwxr-xr-x 1 root root 379389 Jun 11 12:04 /usr/bin/top
$ cat /usr/bin/top | wc -c
379389
$

Note the size shown by ls and wc. It is the same.

Now, there is a file /usr/bin/pkexec. Which is, according to man page,

      pkexec - Execute a command as another user

This happens with it

$ ls -l /usr/bin/pkexec
-rwsr-xr-x 1 root root 519851 Jun  11 12:04 /usr/bin/pkexec
$ cat /usr/bin/pkexec | wc -c
32145
$

The size is different. Quite really different.
I thought that it is related to some filesystem corruption, and I ran fsck in recovery mode. Nothing have changed.
Then I took the disk to the machine where the rsync was originally done. (It is running Arch Linux). I mounted the Ubuntu's root partition there. Wow!

# ls -l /mnt/disk/usr/bin/pkexec
-rwsr-xr-x 1 root root 519851 Jun  11 12:04 /mnt/disk/usr/bin/pkexec
# cat /mnt/disk/usr/bin/pkexec | wc -c
519851
#

Here the sizes are shown equal. I do not understand. I have a different Ubuntu box with the same version where the information about the above file is this:

$ ls -l /usr/bin/pkexec
-rwsr-xr-x 1 root root 32145 Jul  26 14:45 /usr/bin/pkexec
$ cat /usr/bin/pkexec | wc -c
32145
$

The size matches here. And I see that the correct size for this file in this version of Ubuntu is "32145". But on the first machine I see sizes which don't even match each other in wc and ls. I had these explanations possibly

• Machines had different updates installed. But why are the sizes shown different between utilities?
• This is some sort of runtime protection for this /usr/bin/pkexec binary file, as I see that it's SUID - maybe OS is protecting it by showing incorrect data to users? But why this behavior is seen only on one machine then and not the others?

Thanks for help and explanations. I think I don't understand something important about Linux.

P.S. The problem also exists if I read dir "/usr/bin" in some langs like Python, and retrieve metadata of files. Then I read each file and check the result length. With pkexec - in metadata it's 519851 bytes. But if I read the file , it's much shorter - only 32145 bytes. Thanks.

Answer 1

It turned out the system was compromised.

Most likely ld preload was abused to hide malicious actions.
These were boot messages I've seen, looked like all processes ran the same code:

[    9.481844] systemd uses obsolete (PF_INET,SOCK_PACKET)
[   11.791376] udev uses obsolete (PF_INET,SOCK_PACKET)
...
[  101.107952] systemd-logind uses obsolete (PF_INET,SOCK_PACKET)

I took the disk to different machine and saw there is /etc/ld.so.preload file existing. There is no such file in the stock Ubuntu installation.

I choosed to reinstall Ubuntu.