FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-26-2011, 01:20 PM
Micky L Martin
 
Default Files being modified in /bin/

For the binary experts.
I have a situation here. Something hideously but*continuously*is modifying the /bin/*executables as common as coreutils and net-tools.I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I moved the file somewhere else to cross bisect it.*

I did a hexdump on original ls file and the modified file, and there was some 700 lines of hex code additional in the modified file.Then I set a cron to check and do md5sum on all system files and after half an hour, I go a report back. Files modified.

This time when checked the hex dump of newly and earlier modified files, they were the same. Exact same!
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.

Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?

-Micky.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 01:25 PM
Jeremy Sanders
 
Default Files being modified in /bin/

Micky L Martin wrote:

> Because rpm and rpmverify also seemed to have been modified so I cannot
> trust 'rpm -V' package verification.
>
> Already did lsof and process tracing but to no avail. Does anyone have any
> idea how to find that culprit?

Are you sure it's not prelink that's modifying the files? You can google how
to disable this.

Boot from a CD to check the checksums or run rpm if you want a clean
environment.

Jeremy


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 01:29 PM
Rob Kampen
 
Default Files being modified in /bin/

Jeremy Sanders wrote:

Micky L Martin wrote:



Because rpm and rpmverify also seemed to have been modified so I cannot
trust 'rpm -V' package verification.

Already did lsof and process tracing but to no avail. Does anyone have any
idea how to find that culprit?



Are you sure it's not prelink that's modifying the files? You can google how
to disable this.


Any comments or thoughts from the list as to the benefit of prelink?
does the system performance change if this is disabled?
It causes issues with aide also.
Boot from a CD to check the checksums or run rpm if you want a clean
environment.


Jeremy


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 07:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org