On Tue, 12 Feb 2002, Anton Chuvakin wrote: > Do you know any of the RPM-aware rootkits for Linux which will not be > detected by "rpm --verify". I would prefer direct edit of /var/lib/rpm > rather to trojaned rpm binary, but what the heck - whatever will do.
All rootkits that are stealth - i.e. modify kernel or libraries to return original contents on open() but new contents on exec*() - are automatically "RPM-aware". No reason to trust this mechanism more than any other (tripwire or such). -- _____________________________________________________ Michal Zalewski [[EMAIL PROTECTED]] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
