Question: In some scenarios which it is suspected that the files in the system from an rpm installation, have been altered, changed, or tampered. For example, the system was hacked and a binary file of ssh tampered. How to check if changes were made on it comparing since installation?
To verify and check if the files installed on a system with rpm or yum altered since installation using the following command:
# rpm -V [PACKAGE_NAME]
If you have any of the files altered in the rpm since the installation, it will be listed in the above commands output. Each line will start with a specific flag indicating the alteration. The meaning of each flag is mentioned in below table:
|S||file Size differs|
|M||Mode differs (includes permissions and file type)|
|5||MD5 sum differs|
|D||Device major/minor number mismatch|
|L||readLink(2) path mismatch|
|U||User ownership differs|
|G||Group ownership differs|
1. There is a suspicion that SSH server has been tampered. So let’s first check the rpm that distributes the file:
# yum provides */sshd openssh-server
So openssh-server is the rpm which provide the ssh binaries in the system.
2. Next, check for any alterations in the files provided by openssh-server rpm:
# rpm -V openssh-server
If any of the file was tempered with, it would be listed in the above command output. Something similar to below:
The falgs here means that the SSH server binary file has been tampered with:
S file Size differs 5 MD5 sum differs T mTime differs
The file has a different size, MD5 checksum, and modification timestamp from the one distributed with the RPM.
3. Here we can try to re-install the package using yum to get the original distributed files from the repositories:
# yum reinstall openssh-server
In this particular eg. the SSH server needs to be restarted.
# service sshd restart
For systemd based ditributions use systemctl to restart the service:
# systemctl restart sshd