For the binary experts.
I have a situation here. Something hideously but continuously is modifying
the /bin/ executables as common as coreutils and net-tools.
I can verify that from md5sum. First thing I checked was 'ls' and it has a
checksum mismatch. So I removed it and reinstalled it. Then I moved the file
somewhere else to cross bisect it.
I did a hexdump on original ls file and the modified file, and there was
some 700 lines of hex code additional in the modified file.
Then I set a cron to check and do md5sum on all system files and after half
an hour, I go a report back. Files modified.
This time when checked the hex dump of newly and earlier modified files,
they were the same. Exact same!
Because rpm and rpmverify also seemed to have been modified so I cannot
trust 'rpm -V' package verification.
Already did lsof and process tracing but to no avail. Does anyone have any
idea how to find that culprit process?
-Micky.
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users
