-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chad Skinner wrote:
| I don't know about the RHCE, but I personnaly don't know the MD5sums or | filesizes for every binary on my system. Seems common knowledge, or at least | a common answer on the list, that rebuilding a compromized box is the safest | method to ensure that all replaced binaries are restored. That's where RPM comes in. As long as you're using it's packages and haven't recompiled them yourself, the stored MD5sums within the database should be accurate. Man RPM and look at the --verify/-V switch. Example: rpm -V rpm rpm -V fileutils rpm -V e2fsprogs might be the first step I'd take. It will notify you if the following has changed: File Size Mode (includes permissions and file type) MD5 sum Device major/minor number mis-match readLink(2) path mis-match User ownership Group ownership mtime I'd be appaled if a work was able to modify the rpm database too in order to bypass this method of verification. Another good tool would be to run chkrootkit on the box. Check http://www.chkrootkit.org/ for more info. | This is a lack of knowledge question, but why would you assume chattr has | been replaced and not rm? Good question - it could be either. Either chattr has been replaced with a binary equivelant of /bin/true (for example), or rm has been modified (or neither - and it's something entirely different). Bottom line is which will take you more time? Replacing a few binaries verified changed and then patching your system, or reinstalling? The more experienced admin will probably opt for the former. - -Rick - -- Rick Johnson, RHCE - [EMAIL PROTECTED] Linux/WAN Administrator - Medata, Inc. (from home) PGP Key: https://mail.medata.com/pgp/rjohnson.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Signed/Encrpyted for your protection iD8DBQE+AAJfIgQdhlSHZgMRAjWIAKCalA10f+r86chyrvJoxTHiRV3WaQCgkx7R MjMZEDk7YxtRBtqCE/PLnvc= =IK0d -----END PGP SIGNATURE----- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list