FAQ

On Monday 25 February 2013 14:24:28 Gelen James wrote:
'rpm -V' can be misleading, if taking into account of prelink on
Redhat/Centos Boxes which is running through cron by default. I've shown
the steps on reverse the effect of prelink at the comments sections at
link https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229?storyid22
9. I'm afraid that 'rpm -V' only will make big noises or false alarms.

I think you may be confused as to the normal interaction between prelink and
"rpm -V". rpm knows about and disregards prelink sections in its verification:


[root at n1 ~]# md5sum /usr/bin/wc
4d97cc9894946fbb7ba45d0a247f16da /usr/bin/wc
[root at n1 ~]# prelink -m /usr/bin/wc
[root at n1 ~]# md5sum /usr/bin/wc
2db523c558b713b92987747dcbe59005 /usr/bin/wc
[root at n1 ~]# rpm -V coreutils
[root at n1 ~]# prelink -vu /usr/bin/wc
[root at n1 ~]# md5sum /usr/bin/wc
4d97cc9894946fbb7ba45d0a247f16da /usr/bin/wc
[root at n1 ~]# rpm -V coreutils
[root at n1 ~]#


/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
Url : http://lists.centos.org/pipermail/centos/attachments/20130226/133a346a/attachment.bin

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 13 of 14 | next ›
Discussion Overview
groupcentos @
categoriescentos
postedFeb 21, '13 at 11:32p
activeFeb 26, '13 at 6:19p
posts14
users10
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase