[CentOS] I appear to be attacking others

Mon Feb 6 17:09:00 UTC 2006
Troy Engel <tengel at fluid.com>

Steve Bergman wrote:
> # rpm -e --nodeps procps
> # find / -name ps -ls
> # find / -name top -ls
> # yum install procps

Another neat trick is let RPM help you find altered executables that it
knows about, in case the rootkit replaced some other things (again,
better to reinstall from scratch):

  rpm -Va

The first three characters are the most important to look at, they'll
tell you if the size/md5sum is off. Here's a quick cheatsheet paste from
the man page:

  S file Size differs
  M Mode differs (includes permissions and file type)
  5 MD5 sum differs
  D Device major/minor number mismatch
  L readLink(2) path mismatch
  U User ownership differs
  G Group ownership differs
  T mTime differs

You'll see a lot of stuff, don't panic -- it's very common to get
changes listed in /etc/ and /usr/share/, among others. Pay keen
attention to anything in bin (/bin, /sbin, /usr/bin, /usr/sbin, etc) as
they are the most likely targets.


Troy Engel | Systems Engineer
Fluid, Inc | http://www.fluid.com