On 25.Feb.2013, at 23:24, Gelen James wrote: > 'rpm -V' can be misleading, if taking into account of prelink on Redhat/Centos Boxes which is running through cron by default. I've shown the steps on reverse the effect of prelink at the comments sections at link https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229?storyid=15229. I'm afraid that 'rpm -V' only will make big noises or false alarms. rpm is prelink-aware. It does a prelink -y prelink -y will complain if a dependency has changed prelink: xxx: at least one of file's dependencies has changed since prelinking This can happen after you updated stuff but did not run prelink yet. Just run prelink again. Unfortunaly running prelink does not catch all those "has changed since prelinking" messages. If you have a binary that uses library X and you remove that binary so that nothing uses library X anymore, library X will not prelinked again (if you use -a parameter as the default cronjob does). Thats not a problem per se, but if you then go and update a dependency for library X, then prelink -y for library X will fail and therefore rpm -V will fail too. Remove library X, it is not needed anyway or unprelink library X manually or reprelink library X manually. also see https://bugzilla.redhat.com/show_bug.cgi?id=204448 -- Kind Regards, Markus