On Tue, Dec 17, 2002 at 10:28:40PM -0600, Chad Skinner wrote:
> I don't know about the RHCE, but I personnaly don't know the MD5sums
> or filesizes for every binary on my system.
Don't need to. Even if you're not running tripwire, if you've a good
backup of the system and a 'safe cache' of key commands available to you,
the combination of chkrootkit + modification times will give you the
base to ferret out changed objects.
> Seems common knowledge, or at least a common answer on the list,
> that rebuilding a compromized box is the safest method to ensure that
> all replaced binaries are restored.
That's effectively because, unless you have a deep understanding of all
the ways a Unix--er, Linux--system can be perverted and what's really
installed everywhere, that's the simplest thing to tell someone. Un-
rootkitting a system is 30% preparation, 50% knowledge, and 20% art.
> This is a lack of knowledge question, but why would you assume chattr has
> been replaced and not rm?
I wouldn't!
Cheers,
--
Dave Ihnat
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
