On Tue, Dec 17, 2002 at 10:28:40PM -0600, Chad Skinner wrote: > I don't know about the RHCE, but I personnaly don't know the MD5sums > or filesizes for every binary on my system.
Don't need to. Even if you're not running tripwire, if you've a good backup of the system and a 'safe cache' of key commands available to you, the combination of chkrootkit + modification times will give you the base to ferret out changed objects. > Seems common knowledge, or at least a common answer on the list, > that rebuilding a compromized box is the safest method to ensure that > all replaced binaries are restored. That's effectively because, unless you have a deep understanding of all the ways a Unix--er, Linux--system can be perverted and what's really installed everywhere, that's the simplest thing to tell someone. Un- rootkitting a system is 30% preparation, 50% knowledge, and 20% art. > This is a lack of knowledge question, but why would you assume chattr has > been replaced and not rm? I wouldn't! Cheers, -- Dave Ihnat [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list