2012/4/24 Mike Sievers <[email protected]>: > Hi, > > ossec version is 2.6 > md5sum: 5a8582fbad878819fdcc598d15902b57 /sbin/init > (dont´t know yet if it is ok) > > Mike > > > 2012/4/23 dan (ddp) <[email protected]> > >> What version of OSSEC? >> Does the md5 or sha for /sbin/init match what it should? >> >> On Sun, Apr 22, 2012 at 8:41 AM, Mike Sievers >> <[email protected]> wrote: >> > Hi List, >> > >> > on my opensuse 12.1 I found: >> > Trojaned version of file '/sbin/init' detected. Signature used: 'HOME' >> > (Suckit rootkit). >> > I hope this is false positive, isn´t it? >> > And some alerts like this: >> > File '/dev/.sysconfig/network/config-lo' present on /dev. Possible >> > hidden >> > file. >> > >> > ??? > >
How about checking from package manager: rpm -qf /sbin/init (what provides that package) rpm --verify package-name example from centos 6.2 [root@xxx ~]# rpm -qf /sbin/init upstart-0.6.5-10.el6.x86_64 [root@xx ~]# rpm -V upstart -- Eero
