On Mon, 1 Jan 2001, Steven W. Orr wrote:
> I recommend running rpm -V on all files in all packages. Just to make sure
> that important things like ps weren't replaced with a version that
> supports hiding them.
This will not help you if the replacements were installed with RPM. I have
seen reports of that happening.
Once again: If a system has been compromised, you cannot trust **ANYTHING**
on that system. **ANYTHING**. Whatever you are using to test the system may
have been subverted. Did I mention you can't trust anything? 'cause you
can't. :-)
The only sure way to test for compromise is to use an offline copy of an IDS
with an offline copy of the IDS database, booted from an offline copy of your
system. Anything normally available to the system is also available to an
attacker, and thus can be subverted to report nothing has changed.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
