On Monday 25 February 2013 14:24:28 Gelen James wrote: > 'rpm -V' can be misleading, if taking into account of prelink on > Redhat/Centos Boxes which is running through cron by default. I've shown > the steps on reverse the effect of prelink at the comments sections at > link https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229?storyid=1522 > 9. I'm afraid that 'rpm -V' only will make big noises or false alarms. I think you may be confused as to the normal interaction between prelink and "rpm -V". rpm knows about and disregards prelink sections in its verification: [root@n1 ~]# md5sum /usr/bin/wc 4d97cc9894946fbb7ba45d0a247f16da /usr/bin/wc [root@n1 ~]# prelink -m /usr/bin/wc [root@n1 ~]# md5sum /usr/bin/wc 2db523c558b713b92987747dcbe59005 /usr/bin/wc [root@n1 ~]# rpm -V coreutils [root@n1 ~]# prelink -vu /usr/bin/wc [root@n1 ~]# md5sum /usr/bin/wc 4d97cc9894946fbb7ba45d0a247f16da /usr/bin/wc [root@n1 ~]# rpm -V coreutils [root@n1 ~]# /Peter
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos
