On Thu, 24 Feb 2005 12:12:27 +1100, Mike MacCana <[EMAIL PROTECTED]> wrote: > > why do you trust the back up of the RPM database? > > Because its on a CDR, and you've made one each week, hopefully from a > date before your machine got attacked.
OK, you would be right on this if you could trust the CD (e.g. get it from another site which you trust, but not from your own machine which you don't know when it was hacked). > > Just like tripwire (but recording more stuff). That's a shortcoming of tripwire as well - unless you can compare to data you can 100% trust (i.e. that didn't have a window of opportunity to be hacked before you burned the checksums). BTW - I keep being surprised to hear even security experts advise to run "chkrootkit" (and I'm not a security expert or a paranoid user/admin) - if a machine was hacked then there is a good chance that "chkrootkit" would also be hacked to disguise the rootkit, wouldn't it? (it's not far fetched - see viruses attacking anti-virus programs). Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
