Jeremy Sanders wrote:
Micky L Martin wrote:
Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit?
Are you sure it's not prelink that's modifying the files? You can google how to disable this.
Boot from a CD to check the checksums or run rpm if you want a clean environment.
Don't really know about prelink, but I strongly agree with the last suggestion: boot from a CD, or USB key, or something *other* than your hard drive - your comments strongly suggest that you've been infected. You *do* have backups of your configuration and data (and home directories, etc)? If so, you might want to do a reinstall without formatting... and then, and only then, rerun grub-install.
mark