On Wed, 1 Nov 2000, Steven W. Orr wrote:
> I always thought that this was one of the beauties of rpm. If you thought
> you were hacked, all you need to do is to reinstall rpm a la
>
> rpm -Uvh --force rpm-blahblah
>
> and then run
>
> rpm -Va
>
> to see if any individual files are corrupted.
Well, first, if RPM has been subverted, then it has likely been modified to
not allow you to replace the packages that have also been modified, including
RPM itself.
Okay, so, let us say you boot from known-good media and use a known-good
copy of RPM on the RPM database on the system.
Problem is, if the RPM database has been modified, then all the checksum
information in the database will likely match the tempered files on the
system.
Even if you used that known-good environment to simply reinstall every RPM
on the system, that will not handle:
- Modified configuration files (e.g., extra root account in /etc/passwd)
- Files outside of the RPM database (e.g., an SUID-root copy of /bin/sh
stored in some unexpected location)
- Files with the ext2fs immutable bit set
- Modifications to the boot sectors of your system
- Modifications to the filesystem structure
In short: RPM is a package manager. It is not a substitute for a real IDS.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
