[CentOS] Files being modified in /bin/

Mon Sep 26 13:20:07 UTC 2011
Micky L Martin <mickylmartin at gmail.com>

For the binary experts.

I have a situation here. Something hideously but continuously is modifying
the /bin/ executables as common as coreutils and net-tools.
I can verify that from md5sum. First thing I checked was 'ls' and it has a
checksum mismatch. So I removed it and reinstalled it. Then I moved the file
somewhere else to cross bisect it.

I did a hexdump on original ls file and the modified file, and there was
some 700 lines of hex code additional in the modified file.
Then I set a cron to check and do md5sum on all system files and after half
an hour, I go a report back. Files modified.

This time when checked the hex dump of newly and earlier modified files,
they were the same. Exact same!

Because rpm and rpmverify also seemed to have been modified so I cannot
trust 'rpm -V' package verification.

Already did lsof and process tracing but to no avail. Does anyone have any
idea how to find that culprit?


-Micky.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20110926/7c3f2101/attachment-0004.html>