• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Check if any of the RPM files were tampered with

by admin

Question: In some scenarios which it is suspected that the files in the system from an rpm installation, have been altered, changed, or tampered with. For example, the system was hacked and a binary file of ssh tampered with. How to check if changes were made on it comparing since the installation?

To verify and check if the files installed on a system with rpm or yum altered since installation using the following command:

# rpm -V [PACKAGE_NAME]

If you have any of the files altered in the rpm since the installation, it will be listed in the above commands output. Each line will start with a specific flag indicating the alteration. The meaning of each flag is mentioned in below table:

Flag Meaning
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

Example

1. There is a suspicion that SSH server has been tampered. So let’s first check the rpm that distributes the file:

# yum provides */sshd
openssh-server

So openssh-server is the rpm which provides the ssh binaries in the system.

2. Next, check for any alterations in the files provided by openssh-server rpm:

# rpm -V openssh-server

If any of the file was tampered with, it would be listed in the above command output. Something similar to below:

S.5....T. /usr/sbin/sshd

The falgs here means that the SSH server binary file has been tampered with:

S file Size differs
5 MD5 sum differs
T mTime differs

The file has a different size, MD5 checksum, and modification timestamp from the one distributed with the RPM.

3. Here we can try to re-install the package using yum to get the original distributed files from the repositories:

# yum reinstall openssh-server

In this particular eg. the SSH server needs to be restarted.

# service sshd restart

For systemd based ditributions use systemctl to restart the service:

# systemctl restart sshd

Filed Under: CentOS/RHEL, Linux

Some more articles you might also be interested in …

  1. How to take mailbox backup of Zimbra Account from CLI
  2. lvsd Command Examples in Linux
  3. How the BASH Shell load its configuration files in Linux
  4. How to monitor your CPU on debian or ubuntu systems
  5. How to copy directories recursively using rsync while excluding specific files
  6. LVM Configuration : Physical Volume (PV) Operations/Utilities
  7. How to Configure firewalld Logging in CentOS/RHEL 8
  8. How to test a PHP script
  9. How to Change Kernel Semaphore Limits in CentOS/RHEL
  10. How To Disable Or Extend System Logging Rate-limit on CentOS/RHEL 6

You May Also Like

Primary Sidebar

Recent Posts

  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found
  • macof: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright