Question: In some cases, there is a suspicion that files on the system have been modified or tampered with after installing rpm.
For example, the system was compromised and the ssh binary was tampered with.
How can I check if changes have been made to it, comparing since installation?
To check if the files installed on the system with rpm or yum have changed since installation, use the following command:
# rpm -V [PACKAGE_NAME]
If you have any files modified in rpm since installation, it will be listed in the output of the above command. Each line will start with a specific flag indicating the change. The meaning of each flag is shown in the table below:
|S||The file size is different|
Mode is different (including permissions and file type)
MD5 amount is different
Mismatch of major / minor device number
|L||readLink (2) path mismatch|
Users’ ownership is different
Group ownership is different
|T||Difference in time|
1. There is a suspicion that the SSH server has been hacked.
So let’s first check the rpm where the file is distributed:
# yum provides */sshd openssh-server
So openssh-server is an rpm that provides ssh binaries on our system.
2. Then check for changes in the files provided by the openssh-server rpm:
# rpm -V openssh-server
If any file has been modified, it will be listed in the output of the command above. Something like this:
The flags here mean that the SSH server binary has been modified:
S Размер файла отличается 5 Сумма MD5 отличается T Разница во времени
This file has a different size, MD5 checksum, and modification timestamp than the one distributed with the RPM.
3. Now we can try reinstalling the package using yum to get the original redistributables from the repositories:
# yum reinstall openssh-server
In particular, for example. you need to restart the SSH server.
# service sshd restart
For systemd based distributions use systemctl to restart the service:
# systemctl restart sshd