From: Bruce Ferrell <bferrell@baywinds.org>
To: Glynn Clements <glynn.clements@virgin.net>
Cc: urgrue@tumsan.fi, admin <linux-admin@vger.kernel.org>
Subject: Re: hacked
Date: Wed, 12 Jun 2002 19:09:41 -0700 [thread overview]
Message-ID: <3D07FEE5.6020202@baywinds.org> (raw)
In-Reply-To: 15623.31169.357484.601115@cerise.nosuchdomain.co.uk
Agreed, it will only tell you if executables (and/or libraries) have
been modified. That's what vsl is for... it hunts down those nasty
hidden things (directories etc.)... If They're part of a known
rootkit... (Big if, I know).
In general, my experience is that when someone hacks in, they tend to
install rootkits to maintain their foothold. Between RPM -Va and a
rootkit search, it's generally possible, in the real world, to have a
reasonable assurance of a clean system.
Tripwire won't tell you if something you're not watching has changed. It
won't tell you if a file has been added either. It can only tell you if
something you have under surveillance has changed.
Sometime a complete re-install just isn't feasible, no matter how desirable.
Can we move on now?
Glynn Clements wrote:
> Bruce Ferrell wrote:
>
>
>>search google for vsl and vetes
>>
>>You find like to a pretty nice kit for locating rootkits and the like.
>>You don't mention what distro your system is. Hate to say it but if
>>it's RPM based, you can use the -V option to verify every stinking file
>>on the system if necessary
>>
>
> But "rpm -V" suffers from the same problem as re-installing the OS
> onto an existing filesystem. It will tell you if any of the files
> which were installed from the RPM have changed, but it won't tell you
> if a new file has been added.
>
> IOW, just because "rpm -Va" doesn't find any problems, that doesn't
> mean that you're safe.
>
>
next prev parent reply other threads:[~2002-06-13 2:09 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-06-12 11:51 hacked urgrue
2002-06-12 13:36 ` hacked Glynn Clements
2002-06-12 13:40 ` hacked urgrue
2002-06-12 15:20 ` hacked Bruce Ferrell
2002-06-12 16:41 ` hacked Glynn Clements
2002-06-12 20:28 ` hacked fred orispaa
2002-06-13 2:09 ` Bruce Ferrell [this message]
2002-06-13 2:19 ` hacked Gary E. Miller
2002-06-13 11:46 ` hacked Glynn Clements
2002-06-13 19:06 ` hacked Gary E. Miller
2002-06-17 21:26 ` hacked Ionut Murgoci
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D07FEE5.6020202@baywinds.org \
--to=bferrell@baywinds.org \
--cc=glynn.clements@virgin.net \
--cc=linux-admin@vger.kernel.org \
--cc=urgrue@tumsan.fi \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).