Assuming your RPM database hasn't been modifed by the hacker. :) If you
want to use RPM for this, you should:
rpm -qa > file
Take this file to another CLEAN system (preferably new) and install all
the apps in this file from known sources (like your CD). (Simple script
to do this is left as an exercise for the reader).
Then copy your rpm database /usr/lib/rpm from this CLEAN system to the
"hacked" system, and then do a:
rpm -VA
Realize that if the hacker did a rpm -e <package> and then compiled the
app, RPM won't check it since it's not in the rpm database anymore.
Also realize that there are kernel modules out there that will "hide"
changes so using RPM or things like Tripwire will *not* show modified
files. If you have reason to believe that someone would bother doing an
advanced crack like this, really your only choice is to re-install.
On Tue, 14 Dec 1999, [EMAIL PROTECTED] wrote:
>
> As root,
>
> rpm -Va
>
> This will tell you all of the files that have changed since installation.
>
> --
> Matt Galgoci
> Job title: export title=`dd if=/dev/random bs=24 count=1`
> echo $title
>
> On Mon, 13 Dec 1999, Steve wrote:
>
> > Could some one point me to some info on the ABC's of examining your system for
> > access violations? If there is such a resource.
> >
> > TIA
> > Steve
> >
> >
> > --
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
> >
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
--
Aaron Turner, Core Developer http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization http://linuxkb.org/
Because world domination requires quality open documentation.
aka: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
