For the second time in a week, I have set up an unmanaged CentOS 5.5 Storm Server at StormOnDemand, only to discover a ton of unauthorized changes to binaries (updated file checksums and sizes) on the server shortly thereafter. The time stamps do NOT change.

If the time stamps did change, I would be hunting down a cron job that was doing some auto-updates. But the time stamps are not changing.

This leads me to believe that either these servers are suffering from:

1. A virus or hacker is compromising the box.

2. File system corruption.

3. Something else?

To eliminate the possibility of number 1, I toasted the first server and started over with a new server and enabled their firewall from the start to only allow access for two IPs via SSH... my IP and my biz partner's.

Then, one of the first things we installed was a system we created that maintains a snapshot of most directories on the system so that it can be used to watch the live directories for changes.

At 4:07am (server time) this morning, we received notice from this system that a massive number of files had changed in these directories. Again, no file time stamps changed.

So, my question is this... is there any legitimate reason in a fairly standard CentOS 5.5 install that would cause so many files to change?

Thanks,

Curtis

Ok, solved my own problem. It was prelink:


http://defindit.com/readme_files/prelink.html

I did the md5 check as recommended by comparing the changed files this way:

md5sum /bin/some-file

vs

prelink -y --md5 /bin/some-file

...and the md5 checksums (minus the prelink changes) are actually exactly the same.

Hope this helps save somebody else some time. :-)

Curtis

One other detail here I forgot to mention. prelink runs daily from cron on a standard CentOS install. See:

/etc/cron.daily/prelink