On Wed, Nov 4, 2009 at 4:56 PM, Michael ODonnell
<michael.odonn...@comcast.net> wrote:
> ...so that system seems to have suffered disk corruption or compromise ...
Certainly some kind of corruption or compromise. There are other
kinds of corruption beyond a bad disk, though. Logical corruption in
the filesystem doesn't need to be due to a bad disk, for example.
Although your symptoms don't seem indicate that.
Do these various "corrupt" binaries actually seem to work?
I'm wondering if, somehow, an RPM transaction didn't commit
properly. Maybe RPM thinks it updated the binaries, and so updated
the database, but the binaries are still old. Or maybe RPM updated
the binaries but failed to update the database. In the past, RPM went
to great lengths to prevent that from happening, and it usually
succeeded. But I think some kind of software rot has set in against
those features, because they don't seem to work as well as they used
to. I know I've aborted yum in the past and had it leave the system
in an inconsistent state (!!).
If you suspect that might be it, one way to "fix" it might be to
reinstall every package on the system. I believe the following would
do that:
yum reinstall $( rpm -qa --qf '%{name}\n' )
Note that I haven't ever tried or tested that. :)
> I'm assuming the former given the large number of affected files ...
Not just the number, but the pattern. Lots of those have nothing to
do with any of the usual things attackers are interested in. They
like to do things like modify rm and ls and passwd and such to hide
their tracks and/or prevent you from kicking them off. Your list
looks far too non-selective for it to be that.
I suppose if it was a traditional computer virus that would also
explain it, but viruses are really out of vogue these days. It's all
worms, rootkits, and trojans.
-- Ben
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
