[CentOS] I appear to be attacking others

Mon Feb 6 20:25:51 UTC 2006
Steve Bergman <steve at rueb.com>

On Mon, 2006-02-06 at 09:09 -0800, Troy Engel wrote:
> Another neat trick is let RPM help you find altered executables that it
> knows about, in case the rootkit replaced some other things (again,
> better to reinstall from scratch):
> 
>   rpm -Va

Well, that's certainly handy.

However, on my own personal system, with a relatively fresh installof
CentOS 4.2, with good passwords and updates applied within 24 hours of
issue, behind a hardware firewall with sshd being the only exposed
service, and that being tcpwrapper protected to only accept connections
from a few trusted machines, I get the output below from 'rpm -Va | grep
-e libexec -e '/bin/'.

Also, how do rpm -V and prelink interact?  Are the binaries in an rpm
already prelinked?



S.5....T.   /usr/bin/activation-client
S.5....T.   /usr/bin/bonobo-activation-run-query
S.5....T.   /usr/libexec/bonobo-activation-server
S.5....T.   /usr/bin/dbus-cleanup-sockets
S.5....T.   /usr/bin/dbus-daemon-1
S.5....T.   /usr/bin/dbus-send
S.5....T.   /usr/bin/fc-cache
S.5....T.   /usr/bin/fc-list
S.5....T.   /usr/bin/gconf-merge-tree
S.5....T.   /usr/bin/gconftool-2
S.5....T.   /usr/libexec/gconf-sanity-check-2
S.5....T.   /usr/libexec/gconfd-2
S.5....T.   /usr/libexec/gam_server
S.5....T.   /usr/bin/cjpeg
S.5....T.   /usr/bin/djpeg
S.5....T.   /usr/bin/jpegtran
S.5....T.   /usr/bin/rdjpgcom
S.5....T.   /usr/bin/wrjpgcom
S.5....T.   /usr/bin/alsalisp
S.5....T.   /usr/bin/aserver
S.5....T.   /usr/bin/gnomevfs-cat
S.5....T.   /usr/bin/gnomevfs-copy
S.5....T.   /usr/bin/gnomevfs-info
S.5....T.   /usr/bin/gnomevfs-ls
S.5....T.   /usr/bin/gnomevfs-mkdir
S.5....T.   /usr/bin/gnomevfs-rm
S.5....T.   /usr/libexec/gnome-vfs-daemon
S.5....T.   /usr/bin/chattr
S.5....T.   /usr/bin/lsattr
S.5....T.   /usr/bin/uuidgen
S.5....T.   /usr/bin/dbus-glib-tool
S.5....T.   /usr/bin/dbus-monitor
S.5....T.   /usr/bin/fax2ps
S.5....T.   /usr/bin/fax2tiff
S.5....T.   /usr/bin/gif2tiff
S.5....T.   /usr/bin/pal2rgb
S.5....T.   /usr/bin/ppm2tiff
S.5....T.   /usr/bin/ras2tiff
S.5....T.   /usr/bin/raw2tiff
S.5....T.   /usr/bin/rgb2ycbcr
S.5....T.   /usr/bin/thumbnail
S.5....T.   /usr/bin/tiff2bw
S.5....T.   /usr/bin/tiff2pdf
S.5....T.   /usr/bin/tiff2ps
S.5....T.   /usr/bin/tiff2rgba
S.5....T.   /usr/bin/tiffcmp
S.5....T.   /usr/bin/tiffcp
S.5....T.   /usr/bin/tiffdither
S.5....T.   /usr/bin/tiffdump
S.5....T.   /usr/bin/tiffinfo
S.5....T.   /usr/bin/tiffmedian
S.5....T.   /usr/bin/tiffset
S.5....T.   /usr/bin/tiffsplit
S.5....T.   /usr/libexec/evolution-data-server-1.0
S.5....T.   /usr/bin/xmlwf
S.5....T.   /usr/bin/hal-get-property
S.5....T.   /usr/bin/hal-set-property
S.5....T.   /usr/bin/lshal
S.5....T.   /usr/libexec/hal-hotplug-map
S.5....T.   /usr/libexec/hal.dev
S.5....T.   /usr/libexec/hal.hotplug
S.5....T.   /usr/bin/sfconvert
S.5....T.   /usr/bin/sfinfo
S.5....T.   /usr/bin/gpg-error
S.5....T.   /usr/bin/esd
S.5....T.   /usr/bin/esdcat
S.5....T.   /usr/bin/esdctl
S.5....T.   /usr/bin/esdfilt
S.5....T.   /usr/bin/esdloop
S.5....T.   /usr/bin/esdmon
S.5....T.   /usr/bin/esdplay
S.5....T.   /usr/bin/esdrec
S.5....T.   /usr/bin/esdsample
S.5....T.   /usr/bin/xmlcatalog
S.5....T.   /usr/bin/xmllint
S.5....T.   /usr/bin/gnome-open