Well one way to check would be to do:
rpm -qa | awk '{ print "rpm --verify " $1}' | sh
This would essentially tell you which files differ from the origianl
installation. There will be lots of complaints.
You could also try to:
rpm -qa | awk '{ print "rpm -- --force --nodeps " $1}' | sh
Which would reinstall all packages.
A reinstall would of course be safest bet.
Regards
Erik
On mån, 24 apr 2000 you wrote:
> I woke up this morning to find this email in my system:
>
> Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
> Security Warning: Change in Suid Root files found :
> - Added suid root files : /bin/mount
> - Added suid root files : /bin/ping
> - Added suid root files : /bin/su
> - Added suid root files : /bin/umount
> - Added suid root files : /sbin/dump
> - Added suid root files : /sbin/pwdb_chkpwd
> - Added suid root files : /sbin/restore
> - Added suid root files : /usr/X11R6/bin/Xwrapper
> - Added suid root files : /usr/bin/at
> - Added suid root files : /usr/bin/chage
> - Added suid root files : /usr/bin/chfn
> - Added suid root files : /usr/bin/chsh
> - Added suid root files : /usr/bin/crontab
> - Added suid root files : /usr/bin/dos
> - Added suid root files : /usr/bin/gpasswd
> - Added suid root files : /usr/bin/lpq
> - Added suid root files : /usr/bin/lpr
> - Added suid root files : /usr/bin/lprm
> - Added suid root files : /usr/bin/newgrp
> - Added suid root files : /usr/bin/passwd
> - Added suid root files : /usr/bin/procmail
> - Added suid root files : /usr/bin/rcp
> - Added suid root files : /usr/bin/rlogin
> - Added suid root files : /usr/bin/rsh
> - Added suid root files : /usr/bin/sperl5.6.0
> - Added suid root files : /usr/bin/suidperl
> - Added suid root files : /usr/bin/urpmi
> - Added suid root files : /usr/lib/telnetd/login
> - Added suid root files : /usr/libexec/pt_chown
> - Added suid root files : /usr/sbin/sendmail
> - Added suid root files : /usr/sbin/traceroute
> - Added suid root files : /usr/sbin/userhelper
> - Added suid root files : /usr/sbin/usernetctl
>
> Security Warning: Changes in Suid Group files found :
> - Added suid group files : /usr/sbin/sendmail
>
> Security Warning: Change in World Writeable Files found :
> - Removed writables files : /tmp/fileUcAjVM
>
> Security Warning: the md5 checksum for one of your SUID files has changed,
> maybe an intruder modified one of these suid binary in order to put in a
> backdoor...
> - Checksum changed files : /usr/bin/suidperl
>
> Security Warning: There is modifications for port listening on your machine :
> - Opened ports : tcp 0 0 *:6000 *:*
> LISTEN 658/X
> - Opened ports : tcp 0 0 *:1024 *:*
> LISTEN 651/kdm
> - Opened ports : tcp 0 0 *:10000 *:*
> LISTEN 586/perl
> - Opened ports : tcp 0 0 *:www *:*
> LISTEN 520/httpd
> - Opened ports : udp 0 0 *:xdmcp *:*
> 651/kdm
> - Opened ports : udp 0 0 *:10000 *:*
> 586/perl
> - Closed ports : tcp 0 0 *:www *:*
> LISTEN 3244/httpd
> - Closed ports : tcp 0 0 *:10000 *:*
> LISTEN 1996/perl
> - Closed ports : tcp 0 0 *:6000 *:*
> LISTEN 660/X
> - Closed ports : tcp 0 0 *:1024 *:*
> LISTEN 653/kdm
> - Closed ports : udp 0 0 *:10000 *:*
> 1996/perl
> - Closed ports : udp 0 0 *:xdmcp *:*
> 653/kdm
>
> ...I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
> to I prevent it from happening again?
>
> ===========================================================================
> Andrew Vogel: Program Manager at the University of Cincinnati College of
> Pharmacy. Actor, director, dog (JRT) lover, Miata owner, & much, much more!
> My homepage: "http://www.drewvogel.com". Play I-War, FF7PC, & BC3K!
> Offical BC3K Tester. Linux! "The only way OUT is THROUGH."
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> dug: you da man! you da man! "Drew Vogel is its own reward."
> ric: isn't "the man" the guy who's always bringing everyone down?
> dug: nope! 'cause YOU da man!! Email: [EMAIL PROTECTED]
> =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
!!!!!!!!!!!! New email address please update your address book !!!!!!!!!!
Erik Kaffehr [EMAIL PROTECTED] alt. [EMAIL PROTECTED]
Mariebergsvägen 53 +46 155 219338 (home)
S-611 66 Nyköping +46 155 263515 (office)
Sweden -- Message sent using 100% recycled electrons --
