• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Check if any of the RPM files were tampered with

by admin

Question: In some scenarios which it is suspected that the files in the system from an rpm installation, have been altered, changed, or tampered with. For example, the system was hacked and a binary file of ssh tampered with. How to check if changes were made on it comparing since the installation?

To verify and check if the files installed on a system with rpm or yum altered since installation using the following command:

# rpm -V [PACKAGE_NAME]

If you have any of the files altered in the rpm since the installation, it will be listed in the above commands output. Each line will start with a specific flag indicating the alteration. The meaning of each flag is mentioned in below table:

Flag Meaning
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

Example

1. There is a suspicion that SSH server has been tampered. So let’s first check the rpm that distributes the file:

# yum provides */sshd
openssh-server

So openssh-server is the rpm which provides the ssh binaries in the system.

2. Next, check for any alterations in the files provided by openssh-server rpm:

# rpm -V openssh-server

If any of the file was tampered with, it would be listed in the above command output. Something similar to below:

S.5....T. /usr/sbin/sshd

The falgs here means that the SSH server binary file has been tampered with:

S file Size differs
5 MD5 sum differs
T mTime differs

The file has a different size, MD5 checksum, and modification timestamp from the one distributed with the RPM.

3. Here we can try to re-install the package using yum to get the original distributed files from the repositories:

# yum reinstall openssh-server

In this particular eg. the SSH server needs to be restarted.

# service sshd restart

For systemd based ditributions use systemctl to restart the service:

# systemctl restart sshd

Filed Under: CentOS/RHEL, Linux

Some more articles you might also be interested in …

  1. sar: command not found
  2. Unable To Extend LVM File System with Associated Snapshot in CentOS/RHEL
  3. How to Restart Network Services in CentOS/RHEL 8
  4. pmount Command Examples in Linux
  5. What is chroot jail in Linux
  6. How to Integrate CentOS/RHEL system into an AD Domain with LDAP/Kerberos/SSSD
  7. CentOS / RHEL : How to change password hashing algorithm
  8. CentOS / RHEL 6 : How to password protect grub (Password-Protected Booting)
  9. Installation Steps of jEdit on Ubuntu Linux
  10. cryptsetup Command Examples in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • pw-cat Command Examples in Linux
  • pvs: command not found
  • pulseaudio: command not found
  • pulseaudio Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright