论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2010-05-18 11:15 |只看该作者 |倒序浏览

今天检查系统，发现以下文件在５月１２日被修改。

我用rpm -V -h检查，被修改的文件不包含这些文件。

我的系统是redhat 5.4，没有购买授权，不能在现更新。我也没有手动重新安装什么东西。

Changed File:/bin/grep
Changed File:/bin/rpm
Changed File:/etc/prelink.cache
Changed File:/lib64/security/pam_ccreds.so
Changed File:/usr/lib64/librpmdb-4.4.so
Changed File:/usr/lib64/librsvg-2.so.2.16.1
Changed File:/usr/lib64/librpmio-4.4.so
Changed File:/usr/lib64/libldap-2.3.so.0.2.31
Changed File:/usr/lib64/librpmbuild-4.4.so
Changed File:/usr/lib64/librpm-4.4.so
Changed File:/usr/lib64/libpcreposix.so.0.0.0
Changed File:/usr/lib64/libgsf-1.so.114.0.1
Changed File:/usr/lib64/libnewt.so.0.52.1
Changed File:/usr/libexec/gdmgreeter
Changed File:/usr/sbin/saslauthd
Changed File:/usr/sbin/ntsysv
Changed File:/usr/sbin/arpd
Changed File:/usr/sbin/cc_dump
Changed File:/usr/sbin/dbconverter-2
Changed File:/usr/sbin/cc_test
Changed File:/usr/sbin/setup
Changed File:/usr/sbin/pluginviewer
Changed File:/usr/sbin/saslpasswd2
Changed File:/usr/sbin/lokkit
Changed File:/usr/sbin/sasldblistusers2
Changed File:/usr/bin/rpm2cpio
Changed File:/usr/bin/bzip2
Changed File:/usr/bin/rsvg-view
Changed File:/usr/bin/pcregrep
Changed File:/usr/bin/gsf-office-thumbnailer
Changed File:/usr/bin/rsvg-convert
Changed File:/usr/bin/file
Changed File:/usr/bin/idn
Changed File:/usr/bin/whiptail
Changed File:/usr/bin/curl
Changed File:/usr/bin/jwhois
Changed File:/usr/bin/pcretest
Changed File:/usr/lib/rpm/rpmdb_printlog
Changed File:/usr/lib/rpm/rpmdb_upgrade
Changed File:/usr/lib/rpm/rpmdb_verify
Changed File:/usr/lib/rpm/rpmdb_svc
Changed File:/usr/lib/rpm/rpmdb_deadlock
Changed File:/usr/lib/rpm/rpmq
Changed File:/usr/lib/rpm/rpmdb_dump
Changed File:/usr/lib/rpm/rpmdb_recover
Changed File:/usr/lib/rpm/rpmi
Changed File:/usr/lib/rpm/rpmfile
Changed File:/usr/lib/rpm/rpmdb_archive
Changed File:/usr/lib/rpm/rpmd
Changed File:/usr/lib/rpm/rpmdb_load
Changed File:/usr/lib/rpm/rpmdb_stat
Changed File:/usr/lib/rpm/rpmk
Changed File:/usr/lib/rpm/rpmdb_checkpoint

[root@web2 bin]# ls -l --time=ctime /bin/grep
-rwxr-xr-x 1 root root 88896 05-12 04:02 /bin/grep
[root@web2 bin]# ls -l --time=ctime /bin/rpm
-rwxr-xr-x 1 root root 91680 05-12 04:02 /bin/rpm
[root@web2 bin]# ls -l --time=ctime /usr/lib64/librpmdb-4.4.so
-rwxr-xr-x 1 root root 1139576 05-12 04:02 /usr/lib64/librpmdb-4.4.so

求教各位达人，我是否中招，中了什么招？

文库|博客

ArayCQ

白手起家

论坛徽章:: 0

2楼 [报告]

发表于 2010-05-18 11:17 |只看该作者

补充，我用cron每天生成重要文件的md5码。通过对比md5码，我发现文件被修改

[root@web2 /]# grep /usr/lib64/librpmdb-4.4.so *.txt
md5_2010-05-06.txt:fce8a7f419ba379652fe0bb11427e565  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-11.txt:fce8a7f419ba379652fe0bb11427e565  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-12.txt:fce8a7f419ba379652fe0bb11427e565  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-13.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-14.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-15.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-16.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-17.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so
web2.yft_md5_2010-05-18.txt:a642755fbfb88d6862cff02a2eede249  /usr/lib64/librpmdb-4.4.so