Lewi <[EMAIL PROTECTED]> writes: > I just checking whereis passwd place from, when I run this > # whereis passwd > passwd: /bin/passwd /usr/bin/passwd /etc/passwd.OLD /etc/passwd >/usr/share/man/man1/passwd.1.gz > > then I checked > # rpm -qf /bin/passwd > file /bin/passwd is not owned by any package > > # rpm -ql passwd-0.64.1-4 > /etc/pam.d/passwd > /usr/bin/passwd > /usr/share/man/man1/passwd.1.gz > > so where /bin/passwd come from?? > I checked using whether maybe I can get something, > # string /bin/passwd > but I don't found any suspicious line > I attached in here, sory if too big, it just 3,5kb :) > I'm using rh7.1
It could be a link (hard or symbolic) to or a copy of /usr/bin/passwd. What do these tell you? ls -li /bin/passwd /usr/bin/passwd cmp /bin/passwd /usr/bin/passwd If you suspect you've been hacked, use: rpm -Va to verify all your installed RPMS. Expect changes to config files etc. but any changes to key binaries such as passwd, login, and ps are evidence that you've been hacked. -- tim writer <[EMAIL PROTECTED]> starnix inc. tollfree: 1-87-pro-linux thornhill, ontario, canada http://www.starnix.com professional linux services & products -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list