Steve Bergman wrote:
# rpm -e --nodeps procps # find / -name ps -ls # find / -name top -ls # yum install procps
Another neat trick is let RPM help you find altered executables that it knows about, in case the rootkit replaced some other things (again, better to reinstall from scratch):
rpm -Va
The first three characters are the most important to look at, they'll tell you if the size/md5sum is off. Here's a quick cheatsheet paste from the man page:
S file Size differs M Mode differs (includes permissions and file type) 5 MD5 sum differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs
You'll see a lot of stuff, don't panic -- it's very common to get changes listed in /etc/ and /usr/share/, among others. Pay keen attention to anything in bin (/bin, /sbin, /usr/bin, /usr/sbin, etc) as they are the most likely targets.
-te