So apparently prelink was running. I disabled it in /etc/sysconfig/prelink and ran 'prelink -ua' to undo the linking. I just stumbled upon a document (attached) describing how Linux used to have a.out <http://en.wikipedia.org/wiki/A.out> and now the ELF. Though I never knew that prelink actually modifies the files and thought of it as a cache library or something. Literally modifies!! So, I assume the problem is solved as ls seems to have reverted back but if not then it may be an LKM kit :| On Mon, Sep 26, 2011 at 6:29 AM, Rob Kampen <rkampen at kampensonline.com>wrote: > Jeremy Sanders wrote: > >> Micky L Martin wrote: >> >> >> >>> Because rpm and rpmverify also seemed to have been modified so I cannot >>> trust 'rpm -V' package verification. >>> >>> Already did lsof and process tracing but to no avail. Does anyone have >>> any >>> idea how to find that culprit? >>> >>> >> >> Are you sure it's not prelink that's modifying the files? You can google >> how to disable this. >> >> > Any comments or thoughts from the list as to the benefit of prelink? > does the system performance change if this is disabled? > It causes issues with aide also. > > Boot from a CD to check the checksums or run rpm if you want a clean >> environment. >> >> Jeremy >> >> >> ______________________________**_________________ >> CentOS mailing list >> CentOS at centos.org >> http://lists.centos.org/**mailman/listinfo/centos<http://lists.centos.org/mailman/listinfo/centos> >> >> > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110926/0c8a2232/attachment-0005.html>