Quote:
Originally Posted by Noway2
Alright, lets see if we can give you an example of what to look for.
First, I suggest you do a "yum search matahari". This will show you what packages are installed and contain the matahari binaries. Using your first one listed, matahari-dbus-hostd, it looks like this is contained in the matahari-host RPM. You can also find this by searching for "matahari-dbus-hostd" at the rpm.pbone site I referenced in my previous post.
As a second step, confirm that the package is installed
Code:
yum list installed | grep -i matahari
This will show you which packages containing the word matahari are installed. This will also give you the exact revision and version information which you will need to manually verify it.
Third, run rpm -vV on this file. This will give you a listing of the files on your system as compared to the package. Expect configuration files to change, but the system binaries should not.
Fourth, manually obtain a copy of the binary in question and compare the time and date of the file versus that of the one on your system as well as the md5 and sha1sums.
Lets assume you are using matahari-host-0.4.4-12.el6_2.i686.rpm (which I don't think you are).
Using a mirror, download the RPM. Next you will need to extract the RPM. There is no direct way to do this, but you can use a tool called cpio to do this ( link here). I show the command set in the example below. After you extract the file (btw, do this in someplace like a folder off of your home directory), compare the md5sum, sha1sum, and the file date and time. I have provided an example of doing this below. As you will notice, the example does NOT contain matching sums, a positive indicator that this is NOT the file you have installed. You will need to do this against the files that you do have installed. If you come up with non-matching results, you will want to investigate closer into what is happening in your system.
One good place to look is in your /var/log/yum.log. This will show you what happened recently and you can look for changes around the time of the alert.
Code:
wget http://mirror.teklinks.com/centos/6.2/updates/i386/Packages/matahari-host-0.4.4-12.el6_2.i686.rpm
rpm2cpio matahari-host-0.4.4-12.el6_2.i686.rpm | cpio -idmv
cd usr
cd sbin
ls -la
-rwxr-xr-x. 1 user user 13268 Apr 24 12:49 matahari-dbus-hostd
sha1sum matahari-dbus-hostd
b113a835363899653b56a7b7c52190772ea9a132 matahari-dbus-hostd
md5sum matahari-dbus-hostd
15a3d533cdf1576dea80c935aa19aec2 matahari-dbus-hostd
|
I think this is what caused the alerts Something about prelinkng I don't even know what that does Prelinking /usr/lib/libssh2.so.1.0.1
Prelinking /usr/lib/libcurl.so.4.1.1
Prelinking /usr/bin/transmission-remote
Prelinking /usr/lib/libmcommon.so.1.0.0
Prelinking /usr/lib/libmhost.so.1.0.0
Prelinking /usr/sbin/matahari-dbus-hostd
Prelinking /usr/lib/libmservice.so.1.0.0
Prelinking /usr/bin/curl
Prelinking /usr/bin/mysqlshow
Prelinking /usr/lib/libmnetwork.so.1.0.0
Prelinking /usr/bin/mysqlbinlog
Prelinking /usr/bin/wget
Prelinking /usr/libexec/mysqlmanager
Prelinking /usr/bin/transmission-edit
Prelinking /usr/libexec/gpg2keys_curl
Prelinking /usr/bin/php
Prelinking /usr/bin/fipshmac
Prelinking /usr/bin/mysqladmin
Prelinking /usr/libexec/mysqld
Prelinking /usr/lib/mysql/libmysqlclient_r.so.16.0.0
Prelinking /usr/bin/mysql_upgrade
Prelinking /usr/libexec/gpg2keys_hkp
Prelinking /usr/bin/transmission-show
Prelinking /usr/bin/mysql
Prelinking /usr/lib/libmcommon_qmf.so.1.0.0
Prelinking /usr/bin/lynx
Prelinking /usr/sbin/matahari-dbus-serviced
Prelinking /usr/lib/libmsysconfig.so.1.0.0
Prelinking /usr/sbin/matahari-qmf-sysconfigd
Prelinking /usr/sbin/matahari-qmf-hostd
Prelinking /usr/sbin/matahari-brokerd
Prelinking /usr/sbin/matahari-qmf-networkd
Prelinking /usr/bin/mysqlslap
Prelinking /usr/bin/mysqlcheck
Prelinking /usr/bin/mysqldump
Prelinking /usr/bin/openssl
Prelinking /usr/sbin/matahari-qmf-serviced
Prelinking /usr/bin/transmission-cli
Prelinking /usr/bin/transmission-daemon
Prelinking /usr/bin/mysqlimport
Prelinking /usr/bin/transmission-create
Prelinking /usr/bin/mysqltest
Prelinking /usr/sbin/matahari-dbus-networkd
[