I'm new to this list, so feel free to update me on any rules that I seem not to be familiar with. I'm looking at some strange behavior on a _very_ barebones installation. I'd like to get some feedback on possible logical explanations. * What I'm seeing: The md5sum of all of my binaries in /usr/bin and /usr/sbin are changing exactly one hour after installation of CentOS-4.3. The sizes of the files are increased, with minor changes visible at the beginning of the files, and a large chunk added to the end. Other files are also changing (under /usr/lib for example. Tripwire, if installed, goes *nuts*). My first inclination is that this is a virus, but I have installed this OS on a non-networked machine from what I believe to be clean CDs. * More information: I downloaded the x86_64 installation ISOs from wuarchive.wustl.edu. I checked md5sums and burned the ISO images to CD and then checked the md5sums again. I am assuming this to mean that the CDs are OK. I then installed the "Minimal" package from these CDs onto a machine which was not connected to the network. I allowed the installer to reformat the partitions, and generally used default options wherever possible. I then rebooted the machine, and checked the md5sum of an example program (/usr/sbin/lsof). I set up a script to log the md5sum of /usr/sbin/lsof every 1 minute and let it run overnight. Exactly 1 hour after the machine had come up, the md5sum of /usr/sbin/lsof was now changed and the binary no longer matched a copy I had made into root's home. Virus checkers such as clamav and f-prot (with updated databases) are negative. These are launched from a Helix Incident Response LiveCD. I have repeated this experiment dozens of times now with different options, settings, etc. Always with the same outcome. I find it hard to believe there is a virus on the CentOS-4.3 installation ISOs, but I'm having trouble coming up with other explanations. For starters, what is the md5sum of *your* /usr/sbin/lsof (if you've installed x86_64)? Any ideas on what is going on here? I can perform pretty much any experiments you can think of on this machine. Am I missing a way for a virus to survive a reformat of the hard drive? Thanks in advance for any help, John Ziniti _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos