I appear to be attacking others

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Steve Bergman wrote:
> 
> # rpm -e --nodeps procps
> # find / -name ps -ls
> # find / -name top -ls
> # yum install procps

Another neat trick is let RPM help you find altered executables that it
knows about, in case the rootkit replaced some other things (again,
better to reinstall from scratch):

  rpm -Va

The first three characters are the most important to look at, they'll
tell you if the size/md5sum is off. Here's a quick cheatsheet paste from
the man page:

  S file Size differs
  M Mode differs (includes permissions and file type)
  5 MD5 sum differs
  D Device major/minor number mismatch
  L readLink(2) path mismatch
  U User ownership differs
  G Group ownership differs
  T mTime differs

You'll see a lot of stuff, don't panic -- it's very common to get
changes listed in /etc/ and /usr/share/, among others. Pay keen
attention to anything in bin (/bin, /sbin, /usr/bin, /usr/sbin, etc) as
they are the most likely targets.

-te

-- 
Troy Engel | Systems Engineer
Fluid, Inc | http://www.fluid.com
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux