On Tue, Dec 17, 2002 at 09:06:39PM -0800, Rick Johnson wrote: > That's where RPM comes in. As long as you're using it's packages and > haven't recompiled them yourself, the stored MD5sums within the database > should be accurate.
Um...and as long as rpm hasn't been compromised... > I'd be appaled if a work was able to modify the rpm database too in > order to bypass this method of verification. Why? I'm very glad nobody with any skill seems to have seriously attacked this problem--I know I haven't looked at it--but with full sources available to the code that actually builds the RPM database, I see no reason why a tool couldn't be built that rebuilds the RPM database with values that match the rootkitted system's replaced files. > Another good tool would be to run chkrootkit on the box. Check > http://www.chkrootkit.org/ for more info. Absolutely. > Bottom line is which will take you more time? Replacing a few binaries > verified changed and then patching your system, or reinstalling? The > more experienced admin will probably opt for the former. >From experience--un-rootkitting takes between 90-120 minutes. Clearly the former. Cheers, -- Dave Ihnat [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
