On Mon, 2006-02-06 at 09:09 -0800, Troy Engel wrote:
Another neat trick is let RPM help you find altered executables that it knows about, in case the rootkit replaced some other things (again, better to reinstall from scratch):
rpm -Va
Well, that's certainly handy.
However, on my own personal system, with a relatively fresh installof CentOS 4.2, with good passwords and updates applied within 24 hours of issue, behind a hardware firewall with sshd being the only exposed service, and that being tcpwrapper protected to only accept connections from a few trusted machines, I get the output below from 'rpm -Va | grep -e libexec -e '/bin/'.
Also, how do rpm -V and prelink interact? Are the binaries in an rpm already prelinked?
S.5....T. /usr/bin/activation-client S.5....T. /usr/bin/bonobo-activation-run-query S.5....T. /usr/libexec/bonobo-activation-server S.5....T. /usr/bin/dbus-cleanup-sockets S.5....T. /usr/bin/dbus-daemon-1 S.5....T. /usr/bin/dbus-send S.5....T. /usr/bin/fc-cache S.5....T. /usr/bin/fc-list S.5....T. /usr/bin/gconf-merge-tree S.5....T. /usr/bin/gconftool-2 S.5....T. /usr/libexec/gconf-sanity-check-2 S.5....T. /usr/libexec/gconfd-2 S.5....T. /usr/libexec/gam_server S.5....T. /usr/bin/cjpeg S.5....T. /usr/bin/djpeg S.5....T. /usr/bin/jpegtran S.5....T. /usr/bin/rdjpgcom S.5....T. /usr/bin/wrjpgcom S.5....T. /usr/bin/alsalisp S.5....T. /usr/bin/aserver S.5....T. /usr/bin/gnomevfs-cat S.5....T. /usr/bin/gnomevfs-copy S.5....T. /usr/bin/gnomevfs-info S.5....T. /usr/bin/gnomevfs-ls S.5....T. /usr/bin/gnomevfs-mkdir S.5....T. /usr/bin/gnomevfs-rm S.5....T. /usr/libexec/gnome-vfs-daemon S.5....T. /usr/bin/chattr S.5....T. /usr/bin/lsattr S.5....T. /usr/bin/uuidgen S.5....T. /usr/bin/dbus-glib-tool S.5....T. /usr/bin/dbus-monitor S.5....T. /usr/bin/fax2ps S.5....T. /usr/bin/fax2tiff S.5....T. /usr/bin/gif2tiff S.5....T. /usr/bin/pal2rgb S.5....T. /usr/bin/ppm2tiff S.5....T. /usr/bin/ras2tiff S.5....T. /usr/bin/raw2tiff S.5....T. /usr/bin/rgb2ycbcr S.5....T. /usr/bin/thumbnail S.5....T. /usr/bin/tiff2bw S.5....T. /usr/bin/tiff2pdf S.5....T. /usr/bin/tiff2ps S.5....T. /usr/bin/tiff2rgba S.5....T. /usr/bin/tiffcmp S.5....T. /usr/bin/tiffcp S.5....T. /usr/bin/tiffdither S.5....T. /usr/bin/tiffdump S.5....T. /usr/bin/tiffinfo S.5....T. /usr/bin/tiffmedian S.5....T. /usr/bin/tiffset S.5....T. /usr/bin/tiffsplit S.5....T. /usr/libexec/evolution-data-server-1.0 S.5....T. /usr/bin/xmlwf S.5....T. /usr/bin/hal-get-property S.5....T. /usr/bin/hal-set-property S.5....T. /usr/bin/lshal S.5....T. /usr/libexec/hal-hotplug-map S.5....T. /usr/libexec/hal.dev S.5....T. /usr/libexec/hal.hotplug S.5....T. /usr/bin/sfconvert S.5....T. /usr/bin/sfinfo S.5....T. /usr/bin/gpg-error S.5....T. /usr/bin/esd S.5....T. /usr/bin/esdcat S.5....T. /usr/bin/esdctl S.5....T. /usr/bin/esdfilt S.5....T. /usr/bin/esdloop S.5....T. /usr/bin/esdmon S.5....T. /usr/bin/esdplay S.5....T. /usr/bin/esdrec S.5....T. /usr/bin/esdsample S.5....T. /usr/bin/xmlcatalog S.5....T. /usr/bin/xmllint S.5....T. /usr/bin/gnome-open