For the binary experts.<div><br></div><div>I have a situation here. Something hideously but continuously is modifying the /bin/ executables as common as coreutils and net-tools.</div><div>I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I moved the file somewhere else to cross bisect it. </div>
<div><br></div><div>I did a hexdump on original ls file and the modified file, and there was some 700 lines of hex code additional in the modified file.</div><div>Then I set a cron to check and do md5sum on all system files and after half an hour, I go a report back. Files modified.</div>
<div><br></div><div>This time when checked the hex dump of newly and earlier modified files, they were the same. Exact same!</div><div><br></div><div>Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.</div>
<div><br></div><div>Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?</div><div><br></div><div><br></div><div>-Micky.</div>