On Wed, 2002-02-13 at 14:56, Anton Chuvakin wrote: > Hmm, that was the point of my question, to some extent. How would an > attacker (possesing the md5sums for valid packages and md5sumes for hacked > packages) go about updating the rpm database to pass the ? Are there any > tools (in rootkits or elsewhere) to accomplish it?
well, why not just create new rootkit rpms? perhaps with the same version string even? the `rpm --force --nodeps -ivh` the package. anyone doing a rpm -Va would see everything as being fine, unless some tripwire-esque filesystem check was used. -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
signature.asc
Description: This is a digitally signed message part
