• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • VCS
  • Interview Questions
  • Database
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Check if any of the RPM files were tampered with

by admin

Question: In some scenarios which it is suspected that the files in the system from an rpm installation, have been altered, changed, or tampered with. For example, the system was hacked and a binary file of ssh tampered with. How to check if changes were made on it comparing since the installation?

To verify and check if the files installed on a system with rpm or yum altered since installation using the following command:

# rpm -V [PACKAGE_NAME]

If you have any of the files altered in the rpm since the installation, it will be listed in the above commands output. Each line will start with a specific flag indicating the alteration. The meaning of each flag is mentioned in below table:

Flag Meaning
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

Example

1. There is a suspicion that SSH server has been tampered. So let’s first check the rpm that distributes the file:

# yum provides */sshd
openssh-server

So openssh-server is the rpm which provides the ssh binaries in the system.

2. Next, check for any alterations in the files provided by openssh-server rpm:

# rpm -V openssh-server

If any of the file was tampered with, it would be listed in the above command output. Something similar to below:

S.5....T. /usr/sbin/sshd

The falgs here means that the SSH server binary file has been tampered with:

S file Size differs
5 MD5 sum differs
T mTime differs

The file has a different size, MD5 checksum, and modification timestamp from the one distributed with the RPM.

3. Here we can try to re-install the package using yum to get the original distributed files from the repositories:

# yum reinstall openssh-server

In this particular eg. the SSH server needs to be restarted.

# service sshd restart

For systemd based ditributions use systemctl to restart the service:

# systemctl restart sshd

Filed Under: CentOS/RHEL, Linux

Some more articles you might also be interested in …

  1. pmount Command Examples in Linux
  2. resize2fs: commnd not found
  3. CentOS / RHEL 6 : how to start the services interactively during boot (to disable/abort some services)
  4. How to set “max_report_luns” and “max_luns” on CentOS/RHEL 7 to scan more than 16,383 LUNs
  5. pvchange Command Examples in Linux
  6. Understanding the dm-multipath Configuration file /etc/multipath.conf
  7. setsebool: command not found
  8. CentOS / RHEL 6 : How to disable Transparent Huge pages (THP)
  9. Allow root ssh login with public key authentication only
  10. a2dissite Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • gixy Command Examples
  • gitsome Command Examples
  • gitmoji Command Examples
  • gitlint Command Examples

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright