Lewi <[EMAIL PROTECTED]> writes:
> I just checking whereis passwd place from, when I run this
> # whereis passwd
> passwd: /bin/passwd /usr/bin/passwd /etc/passwd.OLD /etc/passwd
>/usr/share/man/man1/passwd.1.gz
>
> then I checked
> # rpm -qf /bin/passwd
> file /bin/passwd is not owned by any package
>
> # rpm -ql passwd-0.64.1-4
> /etc/pam.d/passwd
> /usr/bin/passwd
> /usr/share/man/man1/passwd.1.gz
>
> so where /bin/passwd come from??
> I checked using whether maybe I can get something,
> # string /bin/passwd
> but I don't found any suspicious line
> I attached in here, sory if too big, it just 3,5kb :)
> I'm using rh7.1
It could be a link (hard or symbolic) to or a copy of /usr/bin/passwd.
What do these tell you?
ls -li /bin/passwd /usr/bin/passwd
cmp /bin/passwd /usr/bin/passwd
If you suspect you've been hacked, use:
rpm -Va
to verify all your installed RPMS. Expect changes to config files etc. but
any changes to key binaries such as passwd, login, and ps are evidence that
you've been hacked.
--
tim writer <[EMAIL PROTECTED]> starnix inc.
tollfree: 1-87-pro-linux thornhill, ontario, canada
http://www.starnix.com professional linux services & products
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
