[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[rhelv5-list] Hidden process modifying system files



For the binary experts.

I have a situation here. Something hideously but continuously is modifying the /bin/ executables as common as coreutils and net-tools.
I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I moved the file somewhere else to cross bisect it. 

I did a hexdump on original ls file and the modified file, and there was some 700 lines of hex code additional in the modified file.
Then I set a cron to check and do md5sum on all system files and after half an hour, I go a report back. Files modified.

This time when checked the hex dump of newly and earlier modified files, they were the same. Exact same!

Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.

Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?


-Micky.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]