> Once upon a time, [EMAIL PROTECTED] wrote :
>> There's also the Lyon (or Lion) worm that came after Ramen.
>> You can download chkrootkit from www.chkrootkit.org to test for them
>> (it's also useful to learn some security things).
>> Best regards
>>
>> Miguel Dilaj
>
> The only rootkited machine I've encountered so far was infected with
> the "t0rn" kit, so I don't know wether the Lion or Ramen worm are more
> intelligent, but this one did not compromise nor change anything in the
> rpm database.
> A simple "rpm -Va" reported many file changes on binaries like "ps" and
> others ;-)
>
> As often, rpm is your friend! ;-)))
>
> Matthias
Well, I guess you realise this, but I'd guess the t0rn kit means
someone hacked in - not a worm.
I had this on a few computers before reinstalling them, I even
still have the IP addresses and telnet packets they sent fully
logged but that was almost a year ago when it happened
They ftp'd the t0rn kit onto my computers and then proceeded to
hack about with it and install trojans and listening sockets
This was what first made me setup a firewall back on 6.2 :-)
"rpm -Va" is 99% OK - but in a few cases it will not tell you
everything:
If you don't have EVERYTHING using rpm,
OR
of course config files may also be changed by the hackers after
you have changed them
-Cheers
-Andrew
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
