Boot off a known-good RH7.3 CD, choose the upgrade path, wait until it's mounted everything up but before it actually kicks off the upgrade, switch to the second virtual console (alt-f2), then run the rpm executable (off the CD) in this known-good environment, to go "rpm -Vp .../*.rpm" where ... is the path (will take some experimenting) to the pile o' rpms on the CD. Then eject and repeat for the remaining CDs. Then all you gotta do is check any software you added after the RH install; if you did it with rpms, and stored the binary rpms off that machine on some known-safe medium, then you can use the same trick; the above check should confirm that you don't have a rootkitted kernel or system libs or ... that would decieve a subsequent rpm run after rebooting normally.
For a full audit, you also need to check for non-rpm-installed stuff; list all the files on the system with find, list all the rpm-installed files with rpm -qla, sort each list, and use comm(1) to get the list of non-rpm-installed files; eyeball that, and if any of 'em are automatically executed by root (crontabs, initscripts, daemons, etc) check them out and make sure they're legit. -Bennett
msg00438/pgp00000.pgp
Description: PGP signature
