Originally Posted by Noway2
Alright, lets see if we can give you an example of what to look for.
First, I suggest you do a "yum search matahari". This will show you what packages are installed and contain the matahari binaries. Using your first one listed, matahari-dbus-hostd, it looks like this is contained in the matahari-host RPM. You can also find this by searching for "matahari-dbus-hostd" at the rpm.pbone site I referenced in my previous post.
As a second step, confirm that the package is installed
yum list installed | grep -i matahari
This will show you which packages containing the word matahari are installed. This will also give you the exact revision and version information which you will need to manually verify it.
Third, run rpm -vV on this file. This will give you a listing of the files on your system as compared to the package. Expect configuration files to change, but the system binaries should not.
Fourth, manually obtain a copy of the binary in question and compare the time and date of the file versus that of the one on your system as well as the md5 and sha1sums.
Lets assume you are using matahari-host-0.4.4-12.el6_2.i686.rpm (which I don't think you are).
Using a mirror, download the RPM. Next you will need to extract the RPM. There is no direct way to do this, but you can use a tool called cpio to do this (link here
). I show the command set in the example below. After you extract the file (btw, do this in someplace like a folder off of your home directory), compare the md5sum, sha1sum, and the file date and time. I have provided an example of doing this below. As you will notice, the example does NOT contain matching sums, a positive indicator that this is NOT the file you have installed. You will need to do this against the files that you do have installed. If you come up with non-matching results, you will want to investigate closer into what is happening in your system.
One good place to look is in your /var/log/yum.log. This will show you what happened recently and you can look for changes around the time of the alert.
rpm2cpio matahari-host-0.4.4-12.el6_2.i686.rpm | cpio -idmv
-rwxr-xr-x. 1 user user 13268 Apr 24 12:49 matahari-dbus-hostd
I think this is what caused the alerts Something about prelinkng I don't even know what that does Prelinking /usr/lib/libssh2.so.1.0.1