From: Bruce Ferrell <bferrell@baywinds.org>
To: Glynn Clements <glynn.clements@virgin.net>
Cc: urgrue@tumsan.fi, admin <linux-admin@vger.kernel.org>
Subject: Re: hacked
Date: Wed, 12 Jun 2002 19:09:41 -0700 [thread overview]
Message-ID: <3D07FEE5.6020202@baywinds.org> (raw)
In-Reply-To: 15623.31169.357484.601115@cerise.nosuchdomain.co.uk
Agreed, it will only tell you if executables (and/or libraries) have
been modified. That's what vsl is for... it hunts down those nasty
hidden things (directories etc.)... If They're part of a known
rootkit... (Big if, I know).
In general, my experience is that when someone hacks in, they tend to
install rootkits to maintain their foothold. Between RPM -Va and a
rootkit search, it's generally possible, in the real world, to have a
reasonable assurance of a clean system.
Tripwire won't tell you if something you're not watching has changed. It
won't tell you if a file has been added either. It can only tell you if
something you have under surveillance has changed.
Sometime a complete re-install just isn't feasible, no matter how desirable.
Can we move on now?
Glynn Clements wrote:
> Bruce Ferrell wrote:
>
>
>>search google for vsl and vetes
>>
>>You find like to a pretty nice kit for locating rootkits and the like.
>>You don't mention what distro your system is. Hate to say it but if
>>it's RPM based, you can use the -V option to verify every stinking file
>>on the system if necessary
>>
>
> But "rpm -V" suffers from the same problem as re-installing the OS
> onto an existing filesystem. It will tell you if any of the files
> which were installed from the RPM have changed, but it won't tell you
> if a new file has been added.
>
> IOW, just because "rpm -Va" doesn't find any problems, that doesn't
> mean that you're safe.
>
>
next prev parent reply other threads:[~2002-06-13 2:09 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-12 11:51 hacked urgrue
2002-06-12 13:36 ` hacked Glynn Clements
2002-06-12 13:40 ` hacked urgrue
2002-06-12 15:20 ` hacked Bruce Ferrell
2002-06-12 16:41 ` hacked Glynn Clements
2002-06-12 20:28 ` hacked fred orispaa
2002-06-13 2:09 ` Bruce Ferrell [this message]
2002-06-13 2:19 ` hacked Gary E. Miller
2002-06-13 11:46 ` hacked Glynn Clements
2002-06-13 19:06 ` hacked Gary E. Miller
2002-06-17 21:26 ` hacked Ionut Murgoci
-- strict thread matches above, loose matches on Subject: below --
2021-08-31 6:38 Hacked Amanda Jenkins
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D07FEE5.6020202@baywinds.org \
--to=bferrell@baywinds.org \
--cc=glynn.clements@virgin.net \
--cc=linux-admin@vger.kernel.org \
--cc=urgrue@tumsan.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.