[CentOS] Files being modified in /bin/

Mon Sep 26 14:11:54 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

Jeremy Sanders wrote:
> Micky L Martin wrote:
>
>> Because rpm and rpmverify also seemed to have been modified so I cannot
>> trust 'rpm -V' package verification.
>>
>> Already did lsof and process tracing but to no avail. Does anyone have
>> any idea how to find that culprit?
>
> Are you sure it's not prelink that's modifying the files? You can google
> how to disable this.
>
> Boot from a CD to check the checksums or run rpm if you want a clean
> environment.

Don't really know about prelink, but I strongly agree with the last
suggestion: boot from a CD, or USB key, or something *other* than your
hard drive - your comments strongly suggest that you've been infected. You
*do* have backups of your configuration and data (and home directories,
etc)? If so, you might want to do a reinstall without formatting... and
then, and only then, rerun grub-install.

          mark