On Fri, Jul 07, 2006 at 05:29:40PM +0100, T. Horsnell wrote: > S.5....T messages (accompanied by sporadic bursts of prelink > activity but no error msgs - is this initiated by rpm if it thinks > there is a problem?). I wrote a little script to 'rpm -V' prelink changes files, altering their md5sums. rpm has to unprelink each binary in order to compute its original checksum. For this reason, since transparency/security is more important to us than the slight speed increase, we turn off prelink by default here at BU. > 2. almost all the entries with S.5... have a .T on the end, > and that those entries are in an rpm for which all entries > have a .T This suggests to me that there has been some sort > of package upgrade which is not being taken into account > during the verify. > > Looks like *something* is wrong, but quite what, I dont know. If the RPM database got corrupted, you could see this sort of problem. Something could have broken with prelink -- that would definitely cause it. Alternately, someone could have broken into your system and replaced the binaries. Or -- unlikely but possible -- you could have a virus. Did you try the suggestion of running chkrootkit? -- Matthew Miller mattdm@xxxxxxxxxx <http://mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>