Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread m . roth
Jeremy Sanders wrote: > Micky L Martin wrote: > >> No Jeremy, reformatting is nonsensical, like doing anything without >> finding cause of the problem is! >> You have to check out prelink if you still don't know about it, it can >> be something amazing or ridiculous. >> In my case, all evidence poi

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Les Mikesell
On Mon, Sep 26, 2011 at 9:27 AM, Micky L Martin wrote: > No Jeremy, reformatting is nonsensical, like doing anything without finding > cause of the problem is! > You have to check out prelink if you still don't know about it, it can be > something amazing or ridiculous. > In my case, all evidence

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Jeremy Sanders
Micky L Martin wrote: > No Jeremy, reformatting is nonsensical, like doing anything without > finding cause of the problem is! > You have to check out prelink if you still don't know about it, it can be > something amazing or ridiculous. > In my case, all evidence points to prelink! Think you got

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Micky L Martin
No Jeremy, reformatting is nonsensical, like doing anything without finding cause of the problem is! You have to check out prelink if you still don't know about it, it can be something amazing or ridiculous. In my case, all evidence points to prelink! To the guys using prelink and having experien

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread m . roth
Jeremy Sanders wrote: > Micky L Martin wrote: > >> Because rpm and rpmverify also seemed to have been modified so I cannot >> trust 'rpm -V' package verification. >> >> Already did lsof and process tracing but to no avail. Does anyone have >> any idea how to find that culprit? > > Are you sure it's

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Micky L Martin
So apparently prelink was running. I disabled it in /etc/sysconfig/prelink and ran 'prelink -ua' to undo the linking. I just stumbled upon a document (attached) describing how Linux used to have a.out and now the ELF. Though I never knew that prelink actually

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Rob Kampen
Jeremy Sanders wrote: Micky L Martin wrote: Because rpm and rpmverify also seemed to have been modified so I cannot trust 'rpm -V' package verification. Already did lsof and process tracing but to no avail. Does anyone have any idea how to find that culprit? Are you sure it's not pre

Re: [CentOS] Files being modified in /bin/

2011-09-26 Thread Jeremy Sanders
Micky L Martin wrote: > Because rpm and rpmverify also seemed to have been modified so I cannot > trust 'rpm -V' package verification. > > Already did lsof and process tracing but to no avail. Does anyone have any > idea how to find that culprit? Are you sure it's not prelink that's modifying th

[CentOS] Files being modified in /bin/

2011-09-26 Thread Micky L Martin
For the binary experts. I have a situation here. Something hideously but continuously is modifying the /bin/ executables as common as coreutils and net-tools. I can verify that from md5sum. First thing I checked was 'ls' and it has a checksum mismatch. So I removed it and reinstalled it. Then I mo