FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 09-26-2011, 01:44 PM
Micky L Martin
 
Default Files being modified in /bin/

So apparently prelink was running.I disabled it in /etc/sysconfig/prelink and ran 'prelink -ua' to undo the linking.
I just stumbled upon a document (attached) describing how Linux used to have a.out**and now the ELF.

Though I never knew that prelink actually modifies the files and thought of it as a cache*library*or something. Literally modifies!!
So, I assume the problem is solved as ls seems to have reverted back but if not then it may be an LKM kit :|






On Mon, Sep 26, 2011 at 6:29 AM, Rob Kampen <rkampen@kampensonline.com> wrote:

Jeremy Sanders wrote:


Micky L Martin wrote:



*


Because rpm and rpmverify also seemed to have been modified so I cannot

trust 'rpm -V' package verification.



Already did lsof and process tracing but to no avail. Does anyone have any

idea how to find that culprit?

* *




Are you sure it's not prelink that's modifying the files? You can google how to disable this.

*


Any comments or thoughts from the list as to the benefit of prelink?

does the system performance change if this is disabled?

It causes issues with aide also.


Boot from a CD to check the checksums or run rpm if you want a clean environment.



Jeremy





_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos

*



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 02:11 PM
 
Default Files being modified in /bin/

Jeremy Sanders wrote:
> Micky L Martin wrote:
>
>> Because rpm and rpmverify also seemed to have been modified so I cannot
>> trust 'rpm -V' package verification.
>>
>> Already did lsof and process tracing but to no avail. Does anyone have
>> any idea how to find that culprit?
>
> Are you sure it's not prelink that's modifying the files? You can google
> how to disable this.
>
> Boot from a CD to check the checksums or run rpm if you want a clean
> environment.

Don't really know about prelink, but I strongly agree with the last
suggestion: boot from a CD, or USB key, or something *other* than your
hard drive - your comments strongly suggest that you've been infected. You
*do* have backups of your configuration and data (and home directories,
etc)? If so, you might want to do a reinstall without formatting... and
then, and only then, rerun grub-install.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 02:27 PM
Micky L Martin
 
Default Files being modified in /bin/

No Jeremy,*reformatting*is*nonsensical, like doing anything without finding cause of the problem is!You have to check out prelink if you still don't know about it, it can be something amazing or*ridiculous.
In my case, all evidence points to prelink!

To the guys using prelink and having*experience*with it.So I did a further study and found out that it possesses some issues.*

First it doesn't randomly address the data making applications prone to perl security attacks. Secondly, it way of keeping track of address maps is awkward which becomes a few weeks older till it gets updated.
Thirdly, its 'a very old styled' application. It was written back in 90's when computers were slow to make them fast. But with today's extraneous processing age, its effects are long vanishing.
Lastly, I see a lot of people remove it in post installation process. Many claim it sucks as it creates more problems than what it is supposed to do.
As I*occasionally*do a minimal install so I am not sure how it got installed on this very box. Seems like 'yum update' or the kickstart did it.
But anyhow I disabled it already and I am gonna benchmark the system for performance; needless to day, it will be removed from my desk.
It did pop like a jack in a box :P!








On Mon, Sep 26, 2011 at 7:11 AM, <m.roth@5-cent.us> wrote:

Jeremy Sanders wrote:

> Micky L Martin wrote:

>

>> Because rpm and rpmverify also seemed to have been modified so I cannot

>> trust 'rpm -V' package verification.

>>

>> Already did lsof and process tracing but to no avail. Does anyone have

>> any idea how to find that culprit?

>

> Are you sure it's not prelink that's modifying the files? You can google

> how to disable this.

>

> Boot from a CD to check the checksums or run rpm if you want a clean

> environment.



Don't really know about prelink, but I strongly agree with the last

suggestion: boot from a CD, or USB key, or something *other* than your

hard drive - your comments strongly suggest that you've been infected. You

*do* have backups of your configuration and data (and home directories,

etc)? If so, you might want to do a reinstall without formatting... and

then, and only then, rerun grub-install.



* * * * *mark



_______________________________________________

CentOS mailing list

CentOS@centos.org

http://lists.centos.org/mailman/listinfo/centos



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 07:01 PM
Jeremy Sanders
 
Default Files being modified in /bin/

Micky L Martin wrote:

> No Jeremy, reformatting is nonsensical, like doing anything without
> finding cause of the problem is!
> You have to check out prelink if you still don't know about it, it can be
> something amazing or ridiculous.
> In my case, all evidence points to prelink!

Think you got the name wrong - I'm Jeremy. You're replying to Mark. I agree
reformatting is premature.

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 07:06 PM
Les Mikesell
 
Default Files being modified in /bin/

On Mon, Sep 26, 2011 at 9:27 AM, Micky L Martin <mickylmartin@gmail.com> wrote:
> No Jeremy,*reformatting*is*nonsensical, like doing anything without finding
> cause of the problem is!
> You have to check out prelink if you still don't know about it, it can be
> something amazing or*ridiculous.
> In my case, all evidence points to prelink!

rpm -Va should show you all the files that have changed since being
installed (via rpm or yum...). And it should know about prelink.

--
Les Mikesell
lesmikesell@gmail.com
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 09-26-2011, 07:26 PM
 
Default Files being modified in /bin/

Jeremy Sanders wrote:
> Micky L Martin wrote:
>
>> No Jeremy, reformatting is nonsensical, like doing anything without
>> finding cause of the problem is!
>> You have to check out prelink if you still don't know about it, it can
>> be something amazing or ridiculous.
>> In my case, all evidence points to prelink!
>
> Think you got the name wrong - I'm Jeremy. You're replying to Mark. I
> agree reformatting is premature.

Oh, I was *not* recommending reformatting; you can install over, without
reformatting, though it always says that it's not recommended.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 03:27 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org