📦 How to check if any of the RPM files have been added or modified

Question: In some cases, there is a suspicion that files on the system have been modified or tampered with after installing rpm.

For example, the system was compromised and the ssh binary was tampered with.

How can I check if changes have been made to it, comparing since installation?

To check if the files installed on the system with rpm or yum have changed since installation, use the following command:

# rpm -V [PACKAGE_NAME]

If you have any files modified in rpm since installation, it will be listed in the output of the above command. Each line will start with a specific flag indicating the change. The meaning of each flag is shown in the table below:

FLAG VALUE
SThe file size is different
M

Mode is different (including permissions and file type)

five

MD5 amount is different

D

Mismatch of major / minor device number

LreadLink (2) path mismatch
U

Users’ ownership is different

G

Group ownership is different

TDifference in time

Example

1. There is a suspicion that the SSH server has been hacked.

So let’s first check the rpm where the file is distributed:

# yum provides */sshd
openssh-server

So openssh-server is an rpm that provides ssh binaries on our system.

2. Then check for changes in the files provided by the openssh-server rpm:

# rpm -V openssh-server

If any file has been modified, it will be listed in the output of the command above. Something like this:

S.5....T. /usr/sbin/sshd

The flags here mean that the SSH server binary has been modified:

S Размер файла отличается
5 Сумма MD5 отличается
T Разница во времени

This file has a different size, MD5 checksum, and modification timestamp than the one distributed with the RPM.

3. Now we can try reinstalling the package using yum to get the original redistributables from the repositories:

# yum reinstall openssh-server

In particular, for example. you need to restart the SSH server.

# service sshd restart

For systemd based distributions use systemctl to restart the service:

# systemctl restart sshd

Sidebar