On Thu, Dec 18, 2008 at 08:48:12PM +0100, Guillermo Bernaldo de Quiros Maraver
wrote:
| Hi again.
|
| Well, reading the file $PORTSDIR/infrastructure/mk/bsd.port.mk, i can
| see that you can get if a binarie is compromised by:
|
| cksum -b -a sha256 /usr/local/bin/program and see if this is equal to
| the +CONTETS file, if not, then, the binary maybe compromised ( i
| think, but not sure ).
So if I break into your machine, I have to remember "fixing" all the
+CONTENTS files for any local binaries I've changed ?
And you're going to check this with the tools that are already there ?
Maybe that's an easier solution then, I'll just let it ignore whatever
I have changed.
Seriously, if you suspect a machine to have been compromised, take it
offline, create an image of the filesystems on the disk (making sure
never to write to the disk) for later analysis perhaps but afterwards
*completely* wipe it, reinstall and restore from your backups.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
