From mboxrd@z Thu Jan 1 00:00:00 1970 From: Bruce Ferrell Subject: Re: hacked Date: Wed, 12 Jun 2002 19:09:41 -0700 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3D07FEE5.6020202@baywinds.org> References: <20020612115141.GA1599@fede2.tumsan.fi> <15623.20073.595822.36388@cerise.nosuchdomain.co.uk> <20020612134023.GA2115@fede2.tumsan.fi> <3D0766B3.30006@baywinds.org> <15623.31169.357484.601115@cerise.nosuchdomain.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Glynn Clements Cc: urgrue@tumsan.fi, admin Agreed, it will only tell you if executables (and/or libraries) have been modified. That's what vsl is for... it hunts down those nasty hidden things (directories etc.)... If They're part of a known rootkit... (Big if, I know). In general, my experience is that when someone hacks in, they tend to install rootkits to maintain their foothold. Between RPM -Va and a rootkit search, it's generally possible, in the real world, to have a reasonable assurance of a clean system. Tripwire won't tell you if something you're not watching has changed. It won't tell you if a file has been added either. It can only tell you if something you have under surveillance has changed. Sometime a complete re-install just isn't feasible, no matter how desirable. Can we move on now? Glynn Clements wrote: > Bruce Ferrell wrote: > > >>search google for vsl and vetes >> >>You find like to a pretty nice kit for locating rootkits and the like. >>You don't mention what distro your system is. Hate to say it but if >>it's RPM based, you can use the -V option to verify every stinking file >>on the system if necessary >> > > But "rpm -V" suffers from the same problem as re-installing the OS > onto an existing filesystem. It will tell you if any of the files > which were installed from the RPM have changed, but it won't tell you > if a new file has been added. > > IOW, just because "rpm -Va" doesn't find any problems, that doesn't > mean that you're safe. > >